Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Modx_revolution
(Modx)| Repositories | https://github.com/modxcms/revolution |
| #Vulnerabilities | 36 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-10-31 | CVE-2020-25911 | A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS). | Modx_revolution | 9.1 | ||
| 2012-10-07 | CVE-2010-5278 | Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. NOTE: some of these details are obtained from third party information. | Modx_revolution | N/A | ||
| 2017-03-30 | CVE-2017-7324 | setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | Modx_revolution | N/A | ||
| 2017-03-30 | CVE-2017-7323 | The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism. | Modx_revolution | N/A | ||
| 2017-03-30 | CVE-2017-7322 | The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate. | Modx_revolution | N/A | ||
| 2017-03-30 | CVE-2017-7321 | setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | Modx_revolution | N/A | ||
| 2017-03-30 | CVE-2017-7320 | setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. | Modx_revolution | N/A | ||
| 2016-12-24 | CVE-2016-10039 | Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles. | Modx_revolution | N/A | ||
| 2016-12-24 | CVE-2016-10037 | Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist. | Modx_revolution | N/A | ||
| 2019-02-06 | CVE-2018-20758 | MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description. | Modx_revolution | N/A |