588 matches found
EUVD-2022-1069
Malicious code in bioql PyPI...
CVE-2020-25911
A XML External Entity XXE vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service DOS...
CVE-2017-11744
In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module...
CVE-2017-20155
A vulnerability was found in Sterc Google Analytics Dashboard for MODX up to 1.0.5. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file core/components/analyticsdashboardwidget/elements/tpl/widget.analytics.tpl of the component Internal...
CVE-2019-1010123
MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via...
CVE-2018-17556
MODX Revolution v2.6.5-pl allows stored XSS via a Create New Media Source action...
CVE-2019-1010178
Fred MODX Revolution 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is:...
CVE-2017-9068
In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the databasetype parameter...
CVE-2017-9069
In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess...
CVE-2017-9067
In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal...
CVE-2017-9070
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php...
CVE-2017-9071
In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning...
CVE-2017-8115
Directory traversal in setup/processors/urlsearch.php aka the search page of an unused processor in MODX Revolution 2.5.7 might allow remote attackers to obtain system directory information...
CVE-2017-1000223
A stored web content injection vulnerability WCI, a.k.a XSS is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an...
CVE-2008-5941
Cross-site request forgery CSRF vulnerability in MODx 0.9.6.1p2 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors...
Cross-site Scripting (XSS)
modx/revolution is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper file validation due to authenticated users being able to upload SVG files containing malicious JavaScript, which executes in victims' browsers when viewing the profile image...
CVE-2025-28010
A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...
GHSA-HM54-FG2W-2G6J MODX allows cross-site scripting (XSS) via an SVG file
A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...
Cross-site Scripting (XSS)
Overview modx/revolution is a Content Management System. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to improper sanitization of user-uploaded SVG files in the profile image upload feature. Authenticated users can upload SVG files containing malicious JavaScri...
MODX allows cross-site scripting (XSS) via an SVG file
A cross-site scripting XSS vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image...