36 matches found
CVE-2010-5278
MODx Revolution 2.0.2-pl (and possibly earlier) is vulnerable to a Local File Inclusion via the class_key parameter in manager/controllers/default/resource/tvs.php when magic_quotes_gpc is disabled. The vulnerability allows an attacker to read arbitrary server files by使用 a directory traversal seq...
CVE-2020-25911
CVE-2020-25911 describes an XML External Entity (XXE) vulnerability in MODX CMS 2.7.3, specifically in the modRestServiceRequest component. The connected documents identify the flaw as XXE, enabling information disclosure and potential denial of service (DOS). The affected product/version is MODX...
CVE-2018-1000207
MODX Revolution
CVE-2017-9067
MODX Revolution before 2.5.7 is affected when using PHP 5.3.3. Insufficient validation of the action parameter to setup/index.php enables a directory traversal that allows an attacker to include and execute arbitrary files on the web server. The issue is documented across multiple sources as a vu...
CVE-2017-9069
MODX Revolution (PHP CMS) vulnerable before version 2.5.7. A user with file upload permissions can execute arbitrary code by uploading a file named ".htaccess". Root cause: improper handling of uploaded filenames allows code execution. Impact: arbitrary code execution with high impact and potenti...
CVE-2017-9071
MODX Revolution prior to version 2.5.7 is affected by an XSS vulnerability triggered by injecting a payload into the HTTP Host header, as part of a vulnerability chain (often with Cache Poisoning). The affected product is MODX Revolution; the issue is exploitable over the network and requires use...
CVE-2017-7323
MODX Revolution 2.5.4-pl and earlier are vulnerable due to the update and package-installation features defaulting to http://rest.modx.com, enabling a man-in-the-middle attack to spoof servers and trigger arbitrary code execution due to the lack of HTTPS protection. The issue affects the update/p...
CVE-2017-11744
CVE-2017-11744 affects MODX Revolution 2.5.7. The vulnerability is in the System Settings module where the key and name parameters can be exploited to inject cross-site scripting (XSS). A malicious payload sent to connectors/index.php can be triggered for every user visiting the module, indicatin...
CVE-2018-10382
CVE-2018-10382 affects MODX Revolution 2.6.3 and is described as a cross-site scripting (XSS) vulnerability. Connected sources (CNVD, NVD, OSV/OpenVAS) confirm the affected version and the existence of XSS, but do not provide concrete exploitation details, payloads, or official remediation steps ...
CVE-2014-8773
CVE-2014-8773 affects MODX Revolution 2.x prior to 2.2.15. The vulnerability allows remote attackers to bypass CSRF protection, by either omitting the CSRF token or supplying a long string in the CSRF token parameter. The available sources (NVD, CVE lists) describe the affected product and the ex...
CVE-2017-7321
CVE-2017-7321 affects MODX Revolution 2.5.4-pl and earlier. The issue is a remote PHP code execution vulnerability in setup/controllers/welcome.php triggered by passing the config_key parameter to the URL setup/index.php?action=welcome. Public records describe it as an arbitrary code execution pa...
CVE-2018-20757
MODX Revolution (versions up to 2.7.0-pl) is exposed to Cross-site Scripting (XSS) via extended user fields (e.g., Container name or Attribute name). Root cause: XSS in how user-field data is processed, enabling script injection in the browser. Impact is client-side compromise (data integrity/def...
CVE-2014-8774
MODX Revolution 2.x before 2.2.15 contains a cross-site scripting (XSS) vulnerability in manager/index.php, exploitable via the context_key parameter to inject arbitrary web script/HTML. The issue allows remote attackers to leverage XSS; no exploitation details are provided beyond this in the sou...
CVE-2014-5451
CVE-2014-5451 is a reflected XSS in MODX Revolution prior to or equal to 2.3.1-pl, caused by insufficient sanitization of input data passed via the HTTP GET parameter a to the path /manager/. The issue affects MODX Revolution v2.3.1-pl and earlier; exploitation can trick an admin to click a craft...
CVE-2017-7322
CVE-2017-7322 : MODX Revolution versions 2.5.4-pl and earlier fail to verify X.509 certificates from SSL servers during update and package-installation, allowing a man-in-the-middle to spoof servers and trigger execution of arbitrary code via a crafted certificate. The affected product is MODX Re...
CVE-2017-8115
CVE-2017-8115 : Directory traversal in MODX Revolution 2.5.7’s setup/processors/url_search.php (the search page of an unused processor) could allow remote attackers to obtain system directory information. The description in the core CVE record matches multiple connected sources (NVD, Red Hat advi...
CVE-2017-1000223
MODX Revolution CMS
CVE-2019-1010123
MODX Revolution Gallery 1.7.0 is affected by CWE-434 (Unrestricted Upload of File with Dangerous Type). The issue arises from how user parameters are filtered before passing them into the phpthumb class, enabling an attack via a web request to /assets/components/gallery/connector.php to create fi...
CVE-2017-7324
MODX Revolution 2.5.4-pl and earlier are affected by a remote code execution vulnerability in setup/templates/findcore.php, exploitable via the core_path parameter to run arbitrary PHP code. The issue is documented across multiple sources (NVD/CVE-2017-7324, CNVD, osv), indicating the vulnerable ...
CVE-2018-20755
MODX Revolution (through v2.7.0-pl) is vulnerable to Cross-site Scripting (XSS) via the User Photo field. The root cause is improper handling of input in the user photo workflow (e.g., getProfilePhoto-related path) that allows injected scripts to be rendered in a user’s browser context. Exploitat...
CVE-2014-2736
MODX Revolution (
CVE-2017-7320
MODX Revolution 2.5.4-pl and earlier are affected by a vulnerability in setup/controllers/language.php where the language parameter is not properly constrained. An attacker can supply an invalid value to trigger a Cookie-Bombing denial of service (cookie quota exhaustion) and can also perform HTT...
CVE-2017-9068
MODX Revolution prior to 2.5.7 contains a Reflected XSS vulnerability. An attacker can trigger XSS by injecting payloads into several fields on the setup page, demonstrated via the database_type parameter. Affected product: MODX Revolution. Root cause: input supplied on the setup page is reflecte...
CVE-2018-20758
MODX Revolution
CVE-2017-9070
CVE-2017-9070 affects MODX Revolution before 2.5.7. A user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php, enabling arbitrary script/HTML in titles. Root cause: input in the title field is not properly saniti...
CVE-2018-17556
MODX Revolution v2.6.5-pl is affected by a stored XSS vulnerability exposed via the Create New Media Source action. Multiple connected sources (Red Hat PR, CNVD/CVE references, OpenVAS) confirm the issue and describe it as a stored XSS in MODX Revolution, with the CVE entry stating the impact as ...
CVE-2018-20756
MODX Revolution (through v2.7.0-pl) is affected by a cross-site scripting (XSS) vulnerability via a document resource (e.g., pagetitle) that is mishandled during Update or Quick Edit actions, or when viewing manager logs. The issue is documented across multiple sources (NVD and related advisories...
CVE-2014-2311
MODX Revolution 2.0.0 is affected by a SQL injection in modx.class.php, exploitable before 2.2.13. Remote attackers can execute arbitrary SQL via unspecified vectors. Connected sources confirm product/version and impact; no remediation details are provided in the documents.
CVE-2014-8992
MODX Revolution 2.3.2-pl contains a cross-site scripting (XSS) flaw in the FileAPI.flash.image.swf component that allows remote attackers to inject arbitrary web script or HTML via the callback parameter. This vulnerability is documented across multiple sources (e.g., NVD/CVE-2014-8992; OpenVAS e...
CVE-2016-10037
MODX Revolution
CVE-2016-10038
MODX Revolution up to version 2.5.1 is affected by CVE-2016-10038 through a directory traversal in /connectors/index.php. A remote attacker can craft the dir parameter to trigger local file inclusion/traversal/manipulation. The vulnerability is caused by improper handling of user-controlled dir i...
CVE-2016-10039
MODX Revolution is affected by CVE-2016-10039 (pre-2.5.2-pl). A directory traversal flaw exists in /connectors/index.php where a crafted dir parameter can cause local file inclusion/traversal/manipulation. The vulnerability is exploitable remotely via standard network access and is tied to the br...
CVE-2018-1000208
MODX Revolution
CVE-2014-2080
CVE-2014-2080 is a Cross-site scripting (XSS) vulnerability in MODX Revolution’s manager/templates/default/header.tpl. It affects MODX Revolution versions before 2.2.11, allowing remote attackers to inject arbitrary web script or HTML via the "a" parameter to the manager interface. The issue aris...
CVE-2015-6588
CVE-2015-6588 affects MODX Revolution with an XSS in login-fsp.html (pre-1.9.1). The underlying issue is that the QUERY_STRING is not properly sanitized, allowing remote attackers to inject arbitrary script/HTML. Practical impact is user interaction is not required, but the attack occurs via craf...
CVE-2014-8775
MODX Revolution 2.x before 2.2.15 is vulnerable due to the session cookie not setting the HTTPOnly flag, allowing remote attackers to access potentially sensitive information via script access. Exploitation details are not provided in the available documents. No explicit remediation/version fix i...