This vulnerability allows authenticated users with backup permissions to read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Version 5.20.2 fixes this issue.
The vulnerability has a CVSS score of 8.3, indicating a high-severity risk. This score is derived from a low attack complexity and the requirement for high privileges, meaning that attackers could exploit this vulnerability if they have already authenticated. Risk to organizations includes unauthorized file access, potentially exposing sensitive data.
As of now, exploits for this vulnerability have been confirmed, which heightens the urgency for organizations to address it. Organizations should prioritize patching immediately.
The vulnerability was published on January 7, 2026, and the latest modification was on January 20, 2026. With the attack vector being network-based and the attack complexity low, it poses a significant risk to organizations using REDAXO versions prior to 5.20.2.
Organizations are urged to implement the patch provided in version 5.20.2 and review their configurations to mitigate potential exploitation attempts.
Vulnerability Details
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-24 (Path Traversal). The affected product is REDAXO, a PHP-based content management system, specifically versions prior to 5.20.2.
Technical Analysis
The root cause of this vulnerability lies in the Backup addon's failure to validate user input for the `EXPDIR` POST parameter. This oversight allows attackers to manipulate the file paths, leading to potential unauthorized access to sensitive files within the system.
The attack vector is network-based, and the attack complexity is low, requiring high privileges for exploitation. However, no user interaction is necessary for an attack to succeed. The confidentiality impact is rated as high, as attackers may gain access to sensitive information.
Risk & Impact Analysis
Real-world deployment risk includes the potential for attackers to access sensitive files, leading to data breaches or unauthorized information disclosure. This is particularly concerning for organizations that store sensitive data within the webroot of REDAXO installations.
The blast radius could be significant, depending on the data stored and the permissions granted to authenticated users. The urgency assessment based on the CVSS score indicates that organizations should address this vulnerability in their priority patch cycle.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
All versions of REDAXO prior to 5.20.2 are affected by this vulnerability. Organizations should ensure they upgrade to this version or later to mitigate risks.
Mitigation & Remediation
To mitigate the risk associated with this vulnerability, organizations should apply the patch provided in version 5.20.2. If immediate patching is not possible, consider implementing workarounds such as restricting access to the Backup addon's file export functionality or reviewing user permissions.
Monitoring for unusual file access patterns and reviewing configurations can also help in detecting potential exploitation attempts.
Organizations should validate remediation effectiveness through continuous penetration testing that exercises the patched code path.
Detection Guidance
Organizations should monitor logs for indicators of unauthorized access attempts, particularly focusing on the Backup addon's file export functionality. Behavioral anomalies such as unexpected file access patterns should be investigated.
Additionally, network signatures that indicate path traversal attempts should be implemented to enhance detection capabilities.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability lies in its representation of common oversights in input validation within web applications. Security teams should take this as a lesson to ensure that user inputs are thoroughly validated against expected patterns.
This incident underscores the importance of a robust security posture, including regular code reviews and vulnerability assessments. Organizations are encouraged to develop a vulnerability management program that prioritizes proactive security measures.
Furthermore, the development of secure coding practices is essential to prevent similar vulnerabilities in the future. Regular training for development teams on security best practices can significantly reduce the risk of such vulnerabilities.
For more insights on security best practices, organizations can refer to the following resources: penetration testing methodology, web application penetration testing, and security testing best practices.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)