Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Modx_revolution
(Modx)| Repositories | https://github.com/modxcms/revolution |
| #Vulnerabilities | 36 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2014-12-22 | CVE-2014-8992 | Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback parameter. | Modx_revolution | N/A | ||
| 2014-12-03 | CVE-2014-8775 | MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | Modx_revolution | N/A | ||
| 2014-12-03 | CVE-2014-8774 | Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. | Modx_revolution | N/A | ||
| 2014-12-03 | CVE-2014-8773 | MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter. | Modx_revolution | N/A | ||
| 2014-04-24 | CVE-2014-2736 | Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. | Modx_revolution | N/A | ||
| 2014-03-11 | CVE-2014-2311 | SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | Modx_revolution | N/A | ||
| 2019-07-23 | CVE-2019-1010123 | MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. | Modx_revolution | 7.5 | ||
| 2019-02-06 | CVE-2018-20757 | MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name. | Modx_revolution | 6.1 | ||
| 2019-02-06 | CVE-2018-20756 | MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs. | Modx_revolution | 6.1 | ||
| 2019-02-06 | CVE-2018-20755 | MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. | Modx_revolution | 6.1 |