CVE-2024-46209: 
PHP vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability has been identified in REDAXO CMS version 5.17.1, specifically in the component /media/test.html. The vulnerability was discovered and disclosed in January 2025, with MITRE assigning it CVE-2024-46209 (NVD).

The vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the password parameter of the /media/test.html component. The CVSS v3.1 base score is 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability requires low attack complexity but also requires user interaction (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts and HTML in the context of the affected application. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the authenticated user's session (NVD).

Users should upgrade to a patched version of REDAXO CMS when available. In the meantime, administrators should implement strict input validation and output encoding for the password parameter in the affected component (NVD).