EUVD-2022-4775

Malicious code in bioql PyPI...

CVE-2017-11744

In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module...

CVE-2019-1010123

MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via...

CVE-2018-17556

MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action...

CVE-2019-1010178

Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...

CVE-2017-9068

In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the databasetype parameter...

CVE-2017-9069

In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess...

CVE-2017-9067

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal...

CVE-2017-9070

In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php...

CVE-2017-9071

In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning...

CVE-2017-8115

Directory traversal in setup/processors/urlsearch.php aka the search page of an unused processor in MODX Revolution 2.5.7 might allow remote attackers to obtain system directory information...

CVE-2017-1000223

A stored web content injection vulnerability WCI, a.k.a XSS is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an...

Cross-site Scripting (XSS)

modx/revolution is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper file validation due to authenticated users being able to upload SVG files containing malicious JavaScript, which executes in victims' browsers when viewing the profile image...

Cross-site Scripting (XSS)

Overview modx/revolution is a Content Management System. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper sanitization of user-uploaded SVG files in the profile image upload feature. Authenticated users can upload SVG files containing malicious JavaScri...

MODX Revolution 安全漏洞

MODX Revolution is an open source PHP-based content management system CMS from MODX USA. The system supports online collaboration, search engine optimization SEO and more. A security vulnerability exists in MODX Revolution versions prior to 3.1.0, which originates from the fact that an...

MODX Revolution 2.8.3-pl Remote Code Execution

Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution Exploit Author: Sarang Tumne @CyberInsane Twitter: @thecyberinsane Date: 26th Feb'2022 CVE ID: CVE-2022-26149 Confirmed on release 2.8.3-pl Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt Vendor...

MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution Vulnerability

Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution Exploit Author: Sarang Tumne @CyberInsane Twitter: @thecyberinsane CVE ID: CVE-2022-26149 Confirmed on release 2.8.3-pl Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt Vendor:...

MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution

Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution Exploit Author: Sarang Tumne @CyberInsane Twitter: @thecyberinsane Date: 26th Feb'2022 CVE ID: CVE-2022-26149 Confirmed on release 2.8.3-pl Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt Vendor...

MODX Revolution Reflected XSS

In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the databasetype parameter...

MODX Revolution XSS via HTTP Host header

In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning...