Skip to content

Stored XSS in Mediapool Sync Page via Unescaped Filesystem Filenames

Moderate
gharlan published GHSA-w998-qmw9-mf4m Jun 29, 2026

Package

composer redaxo/source (Composer)

Affected versions

<= 5.21.1

Patched versions

5.21.2

Description

Summary

The mediapool sync page (sync.php) renders filenames from the /media filesystem directory directly into HTML without applying rex_escape() (i.e., htmlspecialchars). Any file placed in the media directory whose filename contains HTML metacharacters will execute JavaScript in the browser of any backend user who views the sync page.

Details

In redaxo/src/addons/mediapool/pages/sync.php, the variable $diffFiles is populated from actual filesystem filenames (files in /media/ not yet registered in the database). These filenames are then rendered without escaping:

File: redaxo/src/addons/mediapool/pages/sync.php:119-120

foreach ($diffFiles as $file) {
    if (is_writable(rex_path::media($file))) {
        $e = [];
        $e['label'] = '<label>' . $file . '</label>';          // NO rex_escape!
        $e['field'] = '<input type="checkbox" name="sync_files[]" value="' . $file . '" />'; // NO rex_escape!
        $writable[] = $e;
    } else {
        $notWritable[] = $file;
    }
}

File: redaxo/src/addons/mediapool/pages/sync.php:170

$fragment->setVar('body', '<ul><li>' . implode('</li><li>', $notWritable) . '</li></ul>', false);
// $notWritable contains unescaped filenames

By contrast, all other filename displays in the codebase use rex_escape($fname) (e.g., media.detail.php:236, media.list.php). The sync page is accessible to any backend user with the media[sync] permission (not exclusively admins).

PoC

  1. Place a file named <img src=x onerror=alert(document.cookie)>.txt into the REDAXO /media/ directory (via backup restore or server access) without adding it to the media database.
  2. Log in as any backend user with media[sync] permission.
  3. Navigate to Mediapool → Sync.
  4. The XSS payload executes immediately, stealing the admin session cookie.

Impact

Stored XSS in the admin panel. An attacker who can place files in the media directory (via admin-level backup restore or server access) can achieve persistent XSS against all users who visit the sync page, including higher-privileged admins. This enables session hijacking, credential theft, and full CMS takeover.

Fix

Apply rex_escape() to all filename variables before inserting into HTML:

$e['label'] = '<label>' . rex_escape($file) . '</label>';
$e['field'] = '<input type="checkbox" name="sync_files[]" value="' . rex_escape($file) . '" />';
// ...
$fragment->setVar('body', '<ul><li>' . implode('</li><li>', array_map('rex_escape', $notWritable)) . '</li></ul>', false);

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.