CVE-2018-25353 | THREATINT

Description

Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the blacklist filter and execute arbitrary code.

PUBLISHED Reserved 2026-05-23 | Published 2026-05-23 | Updated 2026-05-26 | Assigner VulnCheck

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Incorrect Authorization

Product status

Any version

affected

Credits

mn@HackerWerkstatt finder

References

www.exploit-db.com/exploits/44891 (ExploitDB-44891) exploit

redaxo.org (Official Product Homepage) product

redaxo.org/download/redaxo/5.5.1.zip (Product Reference) product

www.vulncheck.com/...s-mediapool-addon-arbitrary-file-upload (VulnCheck Advisory: Redaxo CMS Mediapool Addon 5.5.1 Arbitrary File Upload) third-party-advisory

cve.org (CVE-2018-25353)

nvd.nist.gov (CVE-2018-25353)

Download JSON