CVE-2018-25353 Redaxo CVE debrief

Who should care

Organizations running Redaxo CMS with Mediapool Addon version 5.5.1 or older; web application security teams managing content management systems; system administrators responsible for PHP-based CMS deployments; security operations centers monitoring for web application attacks

Technical summary

The Redaxo CMS Mediapool Addon fails to properly validate file extensions during upload operations. The blacklist-based filter can be circumvented by appending numeric suffixes to prohibited extensions (e.g., 'php71' instead of 'php'). This allows authenticated editor users to upload files that the web server may interpret and execute as PHP code, leading to arbitrary code execution. The vulnerability requires low privileges (editor account) and has no user interaction requirement, making it exploitable by any authenticated editor user.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Redaxo CMS Mediapool Addon to a version newer than 5.5.1
• Implement strict server-side file extension validation using a whitelist approach rather than blacklist
• Configure web server to deny execution of uploaded files in upload directories
• Implement additional content-type validation and file header inspection
• Restrict editor account privileges to minimize potential attack surface
• Monitor upload directories for unexpected executable file types
• Review and strengthen authentication controls for editor-level accounts

Evidence notes

The vulnerability is classified under CWE-863 (Incorrect Authorization). The CVSS 4.0 vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. The vulnerability status in NVD is listed as 'Deferred'.

Official resources