Moderate severityNVD Advisory· Published Mar 5, 2025· Updated Mar 6, 2025
REDAXO allows Arbitrary File Upload in the mediapool page
CVE-2025-27411
Description
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
redaxo/sourcePackagist | < 5.18.3 | 5.18.3 |
Affected products
1Patches
13b2159bb45daMediaPool: Mime-Type-Check default aktiviert (#6259)
6 files changed · +72 −66
redaxo/src/addons/mediapool/lib/mediapool.php+21 −1 modified@@ -142,7 +142,7 @@ public static function isAllowedExtension(string $filename, array $args = []): b */ public static function isAllowedMimeType(string $path, ?string $filename = null): bool { - $allowedMimetypes = rex_addon::get('mediapool')->getProperty('allowed_mime_types'); + $allowedMimetypes = self::getAllowedMimeTypes(); if (!$allowedMimetypes) { return true; @@ -192,4 +192,24 @@ public static function getBlockedExtensions(): array { return rex_addon::get('mediapool')->getProperty('blocked_extensions'); } + + /** + * Get global list of allowed mime types. + * + * @return array<string, list<string>> Mapping of file extensions to corresponding list of allowed mime types + */ + public static function getAllowedMimeTypes(): array + { + return rex_addon::get('mediapool')->getProperty('allowed_mime_types', []); + } + + /** + * Set global list of allowed mime types. + * + * @param array<string, list<string>> $mimeTypes Mapping of file extensions to corresponding list of allowed mime types + */ + public static function setAllowedMimeTypes(array $mimeTypes): void + { + rex_addon::get('mediapool')->setProperty('allowed_mime_types', $mimeTypes); + } }
redaxo/src/addons/mediapool/lib/service_media.php+4 −0 modified@@ -201,6 +201,10 @@ public static function updateMedia(string $filename, array $data): array $extensionNew == $extensionOld || in_array($extensionNew, ['jpg', 'jpeg']) && in_array($extensionOld, ['jpg', 'jpeg']) ) { + if (!rex_mediapool::isAllowedMimeType($srcFile, $dstFile)) { + $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . $extensionNew . '</code> (<code>' . ($filetype ?? 'unknown mime type') . '</code>)'; + throw new rex_api_exception($warning); + } if (!rex_file::move($srcFile, $dstFile)) { throw new rex_api_exception(rex_i18n::msg('pool_file_movefailed')); }
redaxo/src/addons/mediapool/package.yml+38 −6 modified@@ -19,12 +19,44 @@ page: blocked_extensions: [asp, aspx, bat, cfm, cgi, flv, hh, html, htaccess, htpasswd, ini, jsp, jsf, js, jsphp, log, mjs, pht, php, php3, php4, php5, php6, php7, php8, phar, pl, ps1, phtml, py, rb, rm, sh, shmtl, shtml, swf, wasm, wmv, wma, xhtml, xht, xml] -# optional mime type allowlist. the list is checked after the blocked_extensions check from above has passed. -# exmaple: -# allowed_mime_types: -# gif: [image/gif] -# jpg: [image/jpeg, image/pjpeg] -allowed_mime_types: ~ +# mime type allowlist. the list is checked after the blocked_extensions check from above has passed. +allowed_mime_types: + avif: [image/avif] + gif: [image/gif] + jpg: [image/jpeg, image/pjpeg] + jpeg: [image/jpeg, image/pjpeg] + png: [image/png] + webp: [image/webp] + eps: [application/postscript] + tif: [image/tiff] + tiff: [image/tiff] + svg: [image/svg+xml] + pdf: [application/pdf] + xls: [application/vnd.ms-excel] + xlsx: [application/vnd.openxmlformats-officedocument.spreadsheetml.sheet] + doc: [application/msword] + docx: [application/vnd.openxmlformats-officedocument.wordprocessingml.document] + dot: [application/msword] + dotx: [application/vnd.openxmlformats-officedocument.wordprocessingml.template] + ppt: [application/vnd.ms-powerpoint] + pptx: [application/vnd.openxmlformats-officedocument.presentationml.presentation] + pot: [application/vnd.ms-powerpoint] + potx: [application/vnd.openxmlformats-officedocument.presentationml.template] + pps: [application/vnd.ms-powerpoint] + ppsx: [application/vnd.openxmlformats-officedocument.presentationml.slideshow] + rtf: [application/rtf] + txt: [text/plain, application/octet-stream] + csv: [text/plain, application/octet-stream] + zip: [application/x-zip-compressed, application/zip] + gz: [application/x-gzip] + tar: [application/x-tar] + mov: [video/quicktime] + movie: [video/quicktime] + mp3: [audio/mpeg] + mpe: [video/mpeg] + mpeg: [video/mpeg] + mpg: [video/mpeg] + mp4: [video/mp4] allowed_doctypes: [avif, bmp, css, doc, docx, eps, gif, gz, jpg, jpeg, mov, mp3, mp4, ogg, pdf, png, ppt, pptx, pps, ppsx, rar, rtf, svg, swf, tar, tif, tiff, txt, webp, wma, xls, xlsx, zip] image_extensions: [avif, bmp, gif, jpeg, jpg, png, svg, tif, tiff, webp]
redaxo/src/addons/mediapool/tests/mediapool_test.php+3 −5 modified@@ -36,17 +36,15 @@ public static function provideIsAllowedExtension(): array #[DataProvider('provideIsAllowedMimeType')] public function testIsAllowedMimeType(bool $expected, string $path, ?string $filename = null): void { - $addon = rex_addon::get('mediapool'); + $allowedMimeTypes = rex_mediapool::getAllowedMimeTypes(); - $allowedMimeTypes = $addon->getProperty('allowed_mime_types'); - - $addon->setProperty('allowed_mime_types', [ + rex_mediapool::setAllowedMimeTypes([ 'md' => ['text/plain'], ]); self::assertSame($expected, rex_mediapool::isAllowedMimeType($path, $filename)); - $addon->setProperty('allowed_mime_types', $allowedMimeTypes); + rex_mediapool::setAllowedMimeTypes($allowedMimeTypes); } /** @return list<array{0: bool, 1: string, 2?: string}> */
redaxo/src/addons/project/boot.php+5 −44 modified@@ -11,47 +11,8 @@ // register yorm class // rex_yform_manager_dataset::setModelClass('rex_my_table', my_classname::class); -// Example list of allowed mime types for mediapool -/* -rex_addon::get('mediapool')->setProperty('allowed_mime_types', [ - 'gif' => ['image/gif'], - 'jpg' => ['image/jpeg', 'image/pjpeg'], - 'jpeg' => ['image/jpeg', 'image/pjpeg'], - 'png' => ['image/png'], - 'eps' => ['application/postscript'], - 'tif' => ['image/tiff'], - 'tiff' => ['image/tiff'], - 'svg' => ['image/svg+xml'], - 'pdf' => ['application/pdf'], - 'xls' => ['application/vnd.ms-excel'], - 'xlsx' => ['application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'], - 'xlsm' => ['application/vnd.ms-excel.sheet.macroEnabled.12'], - 'doc' => ['application/msword'], - 'docx' => ['application/vnd.openxmlformats-officedocument.wordprocessingml.document'], - 'docm' => ['application/vnd.ms-word.document.macroEnabled.12'], - 'dot' => ['application/msword'], - 'dotx' => ['application/vnd.openxmlformats-officedocument.wordprocessingml.template'], - 'dotm' => ['application/vnd.ms-word.template.macroEnabled.12'], - 'ppt' => ['application/vnd.ms-powerpoint'], - 'pptx' => ['application/vnd.openxmlformats-officedocument.presentationml.presentation'], - 'pptm' => ['application/vnd.ms-powerpoint.presentation.macroEnabled.12'], - 'pot' => ['application/vnd.ms-powerpoint'], - 'potx' => ['application/vnd.openxmlformats-officedocument.presentationml.template'], - 'potm' => ['application/vnd.ms-powerpoint.template.macroEnabled.12'], - 'pps' => ['application/vnd.ms-powerpoint'], - 'ppsx' => ['application/vnd.openxmlformats-officedocument.presentationml.slideshow'], - 'ppsm' => ['application/vnd.ms-powerpoint.slideshow.macroEnabled.12'], - 'rtf' => ['application/rtf'], - 'txt' => ['text/plain', 'application/octet-stream'], - 'csv' => ['text/plain', 'application/octet-stream'], - 'zip' => ['application/x-zip-compressed','application/zip'], - 'gz' => ['application/x-gzip'], - 'tar' => ['application/x-tar'], - 'mov' => ['video/quicktime'], - 'movie' => ['video/quicktime'], - 'mp3' => ['audio/mpeg'], - 'mpe' => ['video/mpeg'], - 'mpeg' => ['video/mpeg'], - 'mpg' => ['video/mpeg'], -]); -*/ +// change list of allowed mime types for mediapool +// rex_mediapool::setAllowedMimeTypes([ +// ...rex_mediapool::getAllowedMimeTypes(), +// 'json' => ['application/json'], +// ]);
.tools/psalm/baseline.xml+1 −10 modified@@ -1276,21 +1276,17 @@ </file> <file src="redaxo/src/addons/mediapool/lib/mediapool.php"> <MixedArgument> - <code><![CDATA[$allowedMimetypes[$extension]]]></code> <code><![CDATA[$args['types']]]></code> </MixedArgument> - <MixedArrayAccess> - <code><![CDATA[$allowedMimetypes[$extension]]]></code> - </MixedArrayAccess> <MixedAssignment> - <code><![CDATA[$allowedMimetypes]]></code> <code><![CDATA[$blockedExtension]]></code> </MixedAssignment> <MixedOperand> <code><![CDATA[$blockedExtension]]></code> <code><![CDATA[$blockedExtension]]></code> </MixedOperand> <MixedReturnStatement> + <code><![CDATA[rex_addon::get('mediapool')->getProperty('allowed_mime_types', [])]]></code> <code><![CDATA[rex_addon::get('mediapool')->getProperty('blocked_extensions')]]></code> </MixedReturnStatement> </file> @@ -1516,11 +1512,6 @@ <code><![CDATA[$data['filename']]]></code> </MixedOperand> </file> - <file src="redaxo/src/addons/mediapool/tests/mediapool_test.php"> - <MixedAssignment> - <code><![CDATA[$allowedMimeTypes]]></code> - </MixedAssignment> - </file> <file src="redaxo/src/addons/mediapool/update.php"> <InvalidArgument> <code><![CDATA[['id' => $role->getValue('id')]]]></code>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-wppf-gqj5-fc4fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-27411ghsaADVISORY
- github.com/redaxo/redaxo/commit/3b2159bb45da0ab6cfaef5c8cf8b602ee5e2fb37ghsax_refsource_MISCWEB
- github.com/redaxo/redaxo/security/advisories/GHSA-wppf-gqj5-fc4fghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.