CVE-2024-25298

Vulnerability

Overview

The vulnerability in REDAXO version 5.15.1 arises from insufficient input sanitization in modules.modules.php, allowing authenticated administrators to inject arbitrary PHP code. The issue specifically affects the template editing functionality, enabling attackers to execute system commands on the server [1].

Exploitation

To exploit this flaw, an attacker must first gain administrative access to the REDAXO instance. With admin privileges, they can navigate to the Modules page, add a new module, and edit the 'Output' field of the template to include PHP code. When the template is rendered on a page, the injected code executes [3].

Impact

Successful exploitation grants the attacker full remote code execution on the underlying server. This can lead to complete compromise of the CMS, access to sensitive data, and potential lateral movement within the network.

Mitigation

As of the publication date, no official patch has been released for this version. Users are advised to restrict administrative access, monitor logs for suspicious activity, and consider upgrading to a newer version once a fix is available.