CVE-2018-18198

Name of the Vulnerable Software and Affected Versions REDAXO version 5.6.3

Description The issue concerns the $opener input field variable in the addons/mediapool/pages/index.php file, which is not properly filtered and is directly output to the page. An attacker can exploit this by inserting XSS payloads via a request to the /index.php?page=mediapool/media&opener input field=[XSS] endpoint.

Recommendations For REDAXO version 5.6.3, consider filtering or sanitizing the opener input field variable to prevent XSS payloads from being injected. As a temporary workaround, restrict access to the /index.php?page=mediapool/media endpoint to minimize the risk of exploitation.