4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64049

GHSA ID

GHSA-vqc7-7fj4-3fm3

EPSS Score

0.00033%

CWE

CWE-79

Published

11/25/2025

Updated

11/26/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64049

CVE-2025-64049: REDAXO CMS is vulnerable to XSS through its module management component

A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64049

CVE-2025-64049:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64049

GHSA ID

GHSA-vqc7-7fj4-3fm3

EPSS Score

0.00033%

CWE

CWE-79

Published

11/25/2025

Updated

11/26/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
redaxo/source	composer	< 5.20.1	5.20.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored cross-site scripting (XSS) issue in the REDAXO CMS. The provided commit 58929062312cf03e344ab04067a365e6b6ee66aa addresses this by adding output escaping in the mediapool addon. The analysis of this commit reveals three vulnerable locations.

rex_media_service::addMedia: This function is called when a new media file is uploaded. The patch shows that the file extension from the user-provided file name was not escaped when constructing an error message for disallowed file types. This could be exploited by uploading a file with a malicious name, causing a stored XSS.
rex_media_service::updateMedia: Similar to addMedia, this function did not escape the new file extension when generating an error message during a file update. This also presents a stored XSS vulnerability.
media.list.php: This page is vulnerable to reflected XSS. The types parameter from the URL was displayed without escaping, allowing for the injection of malicious scripts.

The CVE description mentions the vulnerability is in the "module management component". While the patch is in the mediapool addon, it is likely that the media pool is used within the module management interface. An attacker could trigger the vulnerability by uploading a malicious file through the media pool while creating or editing a module, which would then cause the unescaped error message to be rendered, executing the malicious script. This connects the patched code in the mediapool to the vulnerability description related to module management.

Vulnerable functions

rex_media_service::addMedia

redaxo/src/addons/mediapool/lib/service_media.php

The function `addMedia` in `rex_media_service` is vulnerable to cross-site scripting. It constructs an error message containing the file extension of an uploaded file without proper escaping. An attacker can upload a file with a malicious name containing HTML or script code, which will be executed when the error message is displayed.

rex_media_service::updateMedia

redaxo/src/addons/mediapool/lib/service_media.php

The function `updateMedia` in `rex_media_service` is vulnerable to cross-site scripting. When updating a media file, if the new file extension is not allowed, an error message is generated containing the unescaped file extension. This allows an attacker to inject malicious scripts.

media.list.php

redaxo/src/addons/mediapool/pages/media.list.php

The script `media.list.php` is vulnerable to reflected cross-site scripting. It displays the value of the `types` URL parameter without proper escaping. An attacker can craft a malicious URL that, when visited by a user, will execute arbitrary script code in the user's browser.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64049: REDAXO CMS is vulnerable to XSS through its module management component

CVE-2025-64049:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

4.8

4.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-64049: REDAXO CMS is vulnerable to XSS through its module management component

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI