Stored XSS in mediapool feature of Redaxo
A stored cross-site scripting (XSS) vulnerability was found in Redaxo versions < 5.18.0, allowing attackers with sufficient privileges to upload a malicious SVG file through the mediapool feature.
Published a write-up: https://medium.com/@praison66/5d15a3cd054d
Discovered by Praison, Sep 2024.
References: https://www.cve.org/CVERecord?id=CVE-2024-50803 https://github.com/redaxo/redaxo/releases/tag/5.18.0
Vulnerable versions: < 5.18.0
Fix: Update Redaxo to the latest version - 5.18.0