modx/revolution
Packagist13 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting modx/revolutionpage 1 of 1
- CVE-2017-1000067HIGHCVSS 8.8EG 8.8✓ Fixed in 2.6.02017-07-17
MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.
- CVE-2017-9067HIGHCVSS 7.0EG 7.0✓ Fixed in 2.5.72017-05-18
In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.
- CVE-2017-9068MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.5.72017-05-18
In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the database_type parameter.
- CVE-2017-9069HIGHCVSS 8.8EG 8.8✓ Fixed in 2.5.72017-05-18
In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess.
- CVE-2017-9070MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.5.72017-05-18
In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
- CVE-2017-9071MEDIUMCVSS 4.7EG 4.7✓ Fixed in 2.5.72017-05-18
In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning.
- CVE-2018-1000207HIGHCVSS 7.2EG 7.2✓ Fixed in 2.7.02018-07-13
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear …
- CVE-2018-20755MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.1-pl2019-02-06
vulnerable: v2.7.0-pl
MODX Revolution through v2.7.0-pl allows XSS via the User Photo field.
- CVE-2018-20756MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.1-pl2019-02-06
vulnerable: v2.7.0-pl
MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs.
- CVE-2018-20757MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.1-pl2019-02-06
vulnerable: v2.7.0-pl
MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name.
- CVE-2018-20758MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.7.1-pl2019-02-06
vulnerable: v2.7.0-pl
MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description.
- CVE-2020-25911CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.8.02021-10-31
vulnerable: v2.7.0-pl, v2.7.1-pl, v2.7.2-pl, v2.7.3-pl
A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
- CVE-2022-26149HIGHCVSS 7.2EG 7.22022-02-26
vulnerable: v2.7.0-pl ... v2.8.3-pl (8 versions)
MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
Check whether modx/revolution is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for modx/revolution CVEs against the assets you own.
Start Free Scan →