Moderate severityNVD Advisory· Published Jan 9, 2025· Updated Jan 9, 2025

Redaxo CMS Structure Management Page index.php cross site scripting

CVE-2024-13209

Description

A vulnerability was found in Redaxo CMS 5.18.1. It has been classified as problematic. Affected is an unknown function of the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0 of the component Structure Management Page. The manipulation of the argument Article Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Redaxo CMS 5.18.1 is vulnerable to stored XSS via the Article Name parameter on the Structure Management page, with no vendor response.

Vulnerability

Overview

CVE-2024-13209 describes a cross-site scripting (XSS) vulnerability in Redaxo CMS version 5.18.1. The issue resides in the Structure Management page, specifically within the file /index.php?page=structure&category_id=1&article_id=1&clang=1&function=edit_art&artstart=0. The Article Name argument is not properly sanitized, allowing an attacker to inject arbitrary JavaScript or HTML code [1].

Exploitation

Details

The vulnerability can be exploited remotely without authentication, as the affected page is accessible to any user with the ability to edit articles. An attacker only needs to craft a malicious payload in the Article Name field. The exploit has been publicly disclosed, increasing the risk of active exploitation [1].

Impact

Successful exploitation leads to stored XSS, meaning the injected script executes in the context of any administrator or user who views the affected article. This can result in session hijacking, defacement, or theft of sensitive data. The CVSS score has not yet been assigned by NVD, but the vulnerability is classified as problematic [1].

Mitigation

Status

The vendor was contacted early about this disclosure but did not respond. As of the publication date (2025-01-09), no official patch or workaround has been released. Users should consider restricting access to the Structure Management page or upgrading to a newer version if available [1].

References

NVD - CVE-2024-13209

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
redaxo/sourcePackagist	>= 5.12.0-beta1, < 5.18.2	5.18.2

Affected products

Redaxo/Redaxollm-fuzzy
Range: = 5.18.1
ghsa-coords
pkg:composer/redaxo/source
Range: >= 5.12.0-beta1, < 5.18.2
Redaxo/CMSv5
Range: 5.18.1

Patches

74d7391571a2

Artikelname escapen (#6232)

https://github.com/redaxo/redaxoGregor HarlanFeb 10, 2025via ghsa

commit

3 files changed · +6 −2

redaxo/src/addons/structure/lib/structure_element.php+2 −1 modified

@@ -80,8 +80,8 @@ protected function __construct(array $params)
      * Returns Object Value.
      *
      * @param string $value
-     *
      * @return string|int|null
+     * @psalm-taint-source input
      */
     public function getValue($value)
     {
@@ -334,6 +334,7 @@ abstract public function getParent();
      * Returns the name of the article.
      *
      * @return string
+     * @psalm-taint-source input
      */
     public function getName()
     {

redaxo/src/addons/structure/plugins/content/pages/content.php+1 −1 modified

@@ -72,7 +72,7 @@
 ]);
 
 // ----- Titel anzeigen
-echo rex_view::title(rex_i18n::msg('content') . ': ' . $OOArt->getName(), '');
+echo rex_view::title(rex_i18n::msg('content') . ': ' . rex_escape($OOArt->getName()), '');
 
 // ----- Languages
 echo rex_view::clangSwitchAsButtons($context);

redaxo/src/core/lib/view.php+3 −0 modified

@@ -284,6 +284,9 @@ public static function content($content, $title = '')
      * @throws InvalidArgumentException
      *
      * @return string
+     *
+     * @psalm-taint-sink html $head
+     * @psalm-taint-sink html $subtitle
      */
     public static function title($head, $subtitle = null)
     {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

geochen.medium.com/redaxo-cms-5-18-1-cross-site-scripting-7c9a872c72f6ghsaexploitWEB
github.com/advisories/GHSA-7wj8-856p-qc9mghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-13209ghsaADVISORY
vuldb.commitrethird-party-advisory
github.com/redaxo/redaxo/commit/74d7391571a29a455a0c477973bc25d25710e424ghsaWEB
github.com/redaxo/redaxo/security/advisories/GHSA-7wj8-856p-qc9mghsaWEB
vuldb.commitresignaturepermissions-required
vuldb.commitrevdb-entrytechnical-description

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000