Moderate severityNVD Advisory· Published Nov 26, 2025· Updated Nov 26, 2025
REDAXO is Vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
CVE-2025-66026
Description
REDAXO is a PHP-based CMS. Prior to version 5.20.1, a reflected Cross-Site Scripting (XSS) vulnerability exists in the Mediapool view where the request parameter args[types] is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link while logged in. This issue has been patched in version 5.20.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
redaxo/sourcePackagist | < 5.20.1 | 5.20.1 |
Affected products
1Patches
158929062312cMedienpool: Fehlendes Escaping ergänzt (#6375)
3 files changed · +11 −11
redaxo/src/addons/mediapool/lib/service_media.php+5 −5 modified@@ -39,17 +39,17 @@ public static function addMedia(array $data, bool $doSubindexing = true, array $ } if (!rex_mediapool::isAllowedExtension($data['file']['name'], $allowedExtensions)) { - $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . rex_file::extension($data['file']['name']) . '</code>'; + $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . rex_escape(rex_file::extension($data['file']['name'])) . '</code>'; $allowedExtensions = rex_mediapool::getAllowedExtensions($allowedExtensions); $warning .= count($allowedExtensions) > 0 - ? '<br />' . rex_i18n::msg('pool_file_allowed_mediatypes') . ' <code>' . rtrim(implode('</code>, <code>', $allowedExtensions), ', ') . '</code>' - : '<br />' . rex_i18n::msg('pool_file_banned_mediatypes') . ' <code>' . rtrim(implode('</code>, <code>', rex_mediapool::getBlockedExtensions()), ', ') . '</code>'; + ? '<br />' . rex_i18n::msg('pool_file_allowed_mediatypes') . ' <code>' . implode('</code>, <code>', rex_escape($allowedExtensions)) . '</code>' + : '<br />' . rex_i18n::msg('pool_file_banned_mediatypes') . ' <code>' . implode('</code>, <code>', rex_escape(rex_mediapool::getBlockedExtensions())) . '</code>'; throw new rex_api_exception($warning); } if (!rex_mediapool::isAllowedMimeType($data['file']['path'], $data['file']['name'])) { - $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . rex_file::extension($data['file']['name']) . '</code> (<code>' . rex_file::mimeType($data['file']['path']) . '</code>)'; + $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . rex_escape(rex_file::extension($data['file']['name'])) . '</code> (<code>' . rex_escape(rex_file::mimeType($data['file']['path'])) . '</code>)'; throw new rex_api_exception($warning); } @@ -202,7 +202,7 @@ public static function updateMedia(string $filename, array $data): array || in_array($extensionNew, ['jpg', 'jpeg']) && in_array($extensionOld, ['jpg', 'jpeg']) ) { if (!rex_mediapool::isAllowedMimeType($srcFile, $dstFile)) { - $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . $extensionNew . '</code> (<code>' . ($filetype ?? 'unknown mime type') . '</code>)'; + $warning = rex_i18n::msg('pool_file_mediatype_not_allowed') . ' <code>' . rex_escape($extensionNew) . '</code> (<code>' . rex_escape($filetype ?? 'unknown mime type') . '</code>)'; throw new rex_api_exception($warning); } if (!rex_file::move($srcFile, $dstFile)) {
redaxo/src/addons/mediapool/pages/media.list.php+1 −1 modified@@ -122,7 +122,7 @@ } if (!empty($argUrl['args']['types'])) { - echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . $argUrl['args']['types'] . '</code>'); + echo rex_view::info(rex_i18n::msg('pool_file_filter') . ' <code>' . rex_escape($argUrl['args']['types']) . '</code>'); } $addon = rex_addon::require('mediapool');
.tools/psalm/baseline.xml+5 −5 modified@@ -1287,19 +1287,19 @@ </file> <file src="redaxo/src/addons/mediapool/lib/service_media.php"> <MixedArgumentTypeCoercion> - <code><![CDATA[$allowedExtensions]]></code> <code><![CDATA[$queryParams]]></code> - <code><![CDATA[rex_mediapool::getBlockedExtensions()]]></code> + <code><![CDATA[rex_escape($allowedExtensions)]]></code> + <code><![CDATA[rex_escape(rex_mediapool::getBlockedExtensions())]]></code> </MixedArgumentTypeCoercion> + <NullOperand> + <code><![CDATA[rex_escape(rex_file::mimeType($data['file']['path']))]]></code> + </NullOperand> <PossiblyFalseArgument> <code><![CDATA[$content]]></code> </PossiblyFalseArgument> <PossiblyInvalidOperand> <code><![CDATA[$uses]]></code> </PossiblyInvalidOperand> - <PossiblyNullOperand> - <code><![CDATA[rex_file::mimeType($data['file']['path'])]]></code> - </PossiblyNullOperand> </file> <file src="redaxo/src/addons/mediapool/lib/service_media_category.php"> <MixedArgument>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-x6vr-q3vf-vqgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66026ghsaADVISORY
- github.com/redaxo/redaxo/commit/58929062312cf03e344ab04067a365e6b6ee66aaghsax_refsource_MISCWEB
- github.com/redaxo/redaxo/security/advisories/GHSA-x6vr-q3vf-vqgqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.