CVE-2025-64049 Key Vulnerability Information CVE ID: CVE-2025-64049 Vulnerable Software: REDAXO CMS Version 5.20.0 Vulnerability Type: Stored XSS Vendor Homepage: https://redaxo.org/ Software Repository: https://github.com/redaxo/redaxo Description A stored cross-site scripting (XSS) vulnerability in the module management component of REDAXO CMS 5.20.0 allows remote users to inject arbitrary web script or HTML via the Output code field in modules. Steps to Reproduce 1. Navigate to the module section: 2. Add a module with the following XSS script in the output section: 3. Save the module. 4. Navigate to Structure: 5. Create or edit an existing article in the "structure" section. 6. Activate the payload by saving the slice. Result: Upon saving, an alert popup appears, confirming arbitrary JavaScript code execution. Impact The code is stored in the database. Triggers repeatedly, allowing attackers to steal session cookies of authenticated users. Full control over the application. Mitigation Properly escape user-generated content before rendering in the browser. Treat all HTML content from module code fields as untrusted on output.