Miggo Logo
Miggo Vulnerability Database
CVE-2024-13209

CVE-2024-13209: Stored XSS in REDAXO

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-13209
GHSA ID
GHSA-7wj8-856p-qc9m
EPSS Score
0.15123%
CWE
CWE-79
Published
2/10/2025
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
redaxo/sourcecomposer>= 5.12.0-beta1, <= 5.18.15.18.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the article name field value being used in HTML output without proper escaping. The commit shows:

  1. A @psalm-taint-source annotation was added to getName(), marking it as an input source requiring sanitization
  2. The actual XSS occurred in content.php where $OOArt->getName() was used in rex_view::title() without escaping
  3. The fix added rex_escape() around the getName() call in content.php

While the direct vulnerable usage is in content.php, the root cause function is getName() in structure_element.php as it provides raw user-controlled data to output contexts. The high confidence comes from the commit explicitly marking getName() as a taint source and the XSS proof-of-concept demonstrating its unescaped usage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry Stor** XSS in R***XO *.**.* - *rti*l* / "*ont*nt/**it". ### **t*ils On t** l*t*st v*rsion o* R***xo, v*.**.*, t** *rti*l* n*m* *i*l* is sus**pti*l* to stor** XSS. ### Imp**t * m*li*ious **tor **n **sily st**l *ooki* usin* t*is stor** XS

Reasoning

T** vuln*r**ility st*ms *rom t** *rti*l* n*m* *i*l* v*lu* **in* us** in *TML output wit*out prop*r *s**pin*. T** *ommit s*ows: *. * @ps*lm-t*int-sour** *nnot*tion w*s ***** to **tN*m*(), m*rkin* it *s *n input sour** r*quirin* s*nitiz*tion *. T** **t