CVE-2025-27411: 
PHP vulnerability analysis and mitigation

REDAXO, a PHP-based CMS, disclosed a vulnerability (CVE-2025-27411) affecting versions before 5.18.3. The vulnerability was discovered in the mediapool/media page, which was found to be susceptible to arbitrary file upload attacks. This security issue was fixed in version 5.18.3 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability allows authenticated users with low privileges to upload malicious files through the mediapool/media page, which could lead to JavaScript code execution and potential malware distribution (GitHub Advisory).

Successful exploitation of this vulnerability could allow attackers to execute malicious code on the server, potentially leading to JavaScript code execution and malware distribution. The vulnerability affects both confidentiality and integrity with low impact, while availability remains unaffected (GitHub Advisory).

The vulnerability has been patched in REDAXO version 5.18.3. Users are advised to upgrade to this version or later to address the security issue. The fix includes implementation of proper mime-type checks and improved file upload validation (GitHub Commit).