CVE-2024-50803

Vulnerability

Overview CVE-2024-50803 is a stored cross-site scripting (XSS) vulnerability in the mediapool feature of REDAXO Core CMS, affecting versions prior to 5.18.0 [4]. The root cause is insufficient sanitization of uploaded SVG files, allowing an attacker to inject arbitrary JavaScript into the media library [2][4].

Exploitation

An attacker with sufficient privileges to upload media files (e.g., a content editor) can craft a malicious SVG containing embedded script code. When the SVG is viewed or rendered in the mediapool interface, the script executes in the context of the victim's browser [4]. No additional authentication is required beyond the attacker's existing session.

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim, such as modifying content, creating new admin users, or exfiltrating sensitive data. This effectively leads to privilege escalation within the CMS [2][4].

Mitigation

The vulnerability is patched in REDAXO version 5.18.0 [4]. Users should upgrade immediately. No workarounds are documented; restricting SVG uploads via custom validation may reduce risk but is not a complete fix.