Low severityNVD Advisory· Published Jan 6, 2025· Updated Jan 7, 2025

CVE-2024-46209

Description

A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

REDAXO CMS v5.17.1 has a stored XSS vulnerability in /media/test.html via the password parameter.

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in REDAXO CMS version 5.17.1 within the /media/test.html component. The flaw allows an attacker to inject arbitrary web scripts or HTML by crafting a malicious payload in the password parameter [1].

Attack

Vector

An attacker can exploit this by submitting a crafted payload through the password field. Since the vulnerability is stored, the malicious script persists in the application and executes when other users view the affected page. No authentication or special network position is required for the initial injection, though the attacker must have access to the form [1].

Impact

Successful exploitation enables arbitrary HTML or script execution in the context of a victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page [1].

Mitigation

As of the publication date, no official patch or workaround has been announced by REDAXO. Users should consider restricting access to the /media/test.html endpoint and upgrading when a fix is released [1].

References

NVD - CVE-2024-46209

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
redaxo/sourcePackagist	<= 5.17.1	—

Affected products

REDAXO CMS/REDAXO CMSdescription
Redaxo/Redaxollm-fuzzy
Range: =5.17.1
ghsa-coords
pkg:composer/redaxo/source
Range: <= 5.17.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-2p95-8xvm-2pjxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-46209ghsaADVISORY
github.com/h4ckr4v3n/CVE-2024-46209/blob/main/REDAXO%20Stored%20XSS%20%2B%20RCE.pdfghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000