Modx Revolution Security Vulnerabilities and Issues — Modx Revolution CVE List

Lucene search

ModxModx Revolution

5 matches found

CVE•added 2017/03/30 7:59 a.m.•47 views

CVE-2017-7323

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism.

8.1CVSS8.1AI score0.01205EPSS

CVE•added 2017/03/30 7:59 a.m.•42 views

CVE-2017-7322

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate.

8.1CVSS8AI score0.00546EPSS

CVE•added 2017/03/30 7:59 a.m.•41 views

CVE-2017-7321

setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.

9.8CVSS9.8AI score0.02182EPSS

CVE•added 2017/03/30 7:59 a.m.•39 views

CVE-2017-7324

setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter.

9.8CVSS9.8AI score0.02182EPSS

CVE•added 2017/03/30 7:59 a.m.•38 views

CVE-2017-7320

setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resulta...

6.1CVSS6.4AI score0.0031EPSS