GHSA-vqc7-7fj4-3fm3

Source

https://github.com/advisories/GHSA-vqc7-7fj4-3fm3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-vqc7-7fj4-3fm3/GHSA-vqc7-7fj4-3fm3.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-vqc7-7fj4-3fm3

Aliases

CVE-2025-64049

Published

2025-11-25T18:32:22Z

Modified

2025-11-27T02:53:30.260803Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

REDAXO CMS is vulnerable to XSS through its module management component

Details

A stored cross-site scripting (XSS) vulnerability in the module management component in REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. The payload is executed when a user views or edits an article by adding slice that uses the compromised module.

Database specific

{
    "nvd_published_at": "2025-11-25T16:16:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-26T22:00:50Z"
}

References

Affected packages

Packagist / redaxo/source

Package

Name: redaxo/source
Purl: pkg:composer/redaxo/source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.20.1

Affected versions

5.*

5.10.0-beta1

5.10.0-beta2

5.10.0

5.10.1

5.11.0-beta1

5.11.0

5.11.1

5.11.2

5.12.0-beta1

5.12.0-beta2

5.12.0-beta3

5.12.0

5.12.1

5.13.0-beta1

5.13.0-beta2

5.13.0

5.13.1

5.13.2

5.13.3

5.14.0-beta1

5.14.0-beta2

5.14.0

5.14.1

5.14.2

5.14.3

5.15.0-beta1

5.15.0

5.15.1

5.16.0-beta1

5.16.0

5.16.1

5.17.0

5.17.1

5.18.0

5.18.1

5.18.2

5.18.3

5.19.0

5.20.0