Skip to content

Missing CSRF Protection on Package Update Action Allows Forced Addon Updates

Moderate
gharlan published GHSA-m8r3-22v6-g877 Jun 29, 2026

Package

composer redaxo/source (Composer)

Affected versions

<= 5.21.1

Patched versions

5.21.2

Description

Summary

The rex_api_install_package_update API function (install addon) does not override requiresCsrfProtection(), which defaults to false in the base class rex_api_function. Any authenticated admin can therefore be tricked via a CSRF attack into silently triggering a package update from the REDAXO package server.

Details

File: redaxo/src/core/lib/api_function.php:277-280

protected function requiresCsrfProtection()
{
    return false;  // DEFAULT — subclasses must opt in
}

File: redaxo/src/addons/install/lib/api/api_package_update.php:8-39

class rex_api_install_package_update extends rex_api_function
{
    public function execute()
    {
        if (!rex::getUser()?->isAdmin()) {
            throw new rex_api_exception('You do not have the permission!');
        }
        $addonkey = rex_request('addonkey', 'string');
        $fileId = rex_request('file', 'int');
        $installer = new rex_install_package_update();
        // ... downloads and installs $addonkey version $fileId from redaxo.org
    }
    // requiresCsrfProtection() NOT overridden — defaults to false
}

For comparison, rex_api_install_package_add and rex_api_install_package_delete both correctly return true. Only rex_api_install_package_update is missing this.

PoC

<!-- Attacker-controlled page -->
<img src="https://victim-redaxo.example.com/index.php?page=install/packages&rex-api-call=install_package_update&addonkey=some_addon&file=42" />

When an authenticated admin visits this page, the request is automatically made with their session cookie, causing some_addon to be updated to version file_id=42.

Impact

An attacker who can lure an admin to a malicious page can force-install specific addon versions. If combined with a supply-chain compromise of a package on redaxo.org, or by targeting a downgrade to a known-vulnerable version, this becomes a remote code execution vector. Even without supply-chain compromise, it can be used to disrupt the site by forcing unwanted updates.

Fix

Add requiresCsrfProtection() to rex_api_install_package_update:

protected function requiresCsrfProtection()
{
    return true;
}

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L

CVE ID

No known CVE

Weaknesses

Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. Learn more on MITRE.