CVE-2018-17830

Name of the Vulnerable Software and Affected Versions REDAXO version 5.6.2

Description The issue concerns the $args variable in the addons/mediapool/pages/index.php file, where names are not restricted, allowing an attacker to insert XSS payloads. This can be achieved via the index.php?page=mediapool/media&opener input field=&args[substring] endpoint.

Recommendations For REDAXO version 5.6.2, consider restricting the args variable to prevent XSS payload insertion until a patch is available. As a temporary workaround, restrict access to the index.php?page=mediapool/media&opener input field=&args[substring] endpoint to minimize the risk of exploitation.