CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010123
https://notcve.org/view.php?id=CVE-2019-1010123
23 Jul 2019 — MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. MODX Revolution Gallery versión 1.7.0, está afectado por: CWE-434: Carga sin Restricciones de Archivos con Tipos Peligrosos. • https://modx.pro/security/15912#comment-99640 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20755
https://notcve.org/view.php?id=CVE-2018-20755
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante el campo User Photo. • https://github.com/modxcms/revolution/issues/14102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20756
https://notcve.org/view.php?id=CVE-2018-20756
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante un recurso de documento (como un pagetitle), que se gestiona de manera incorrecta durante una acción Update, Quick Edit, o durante la visualización de los registros de administración. • https://github.com/modxcms/revolution/issues/14105 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20757
https://notcve.org/view.php?id=CVE-2018-20757
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante un campo de usuario extendido, como los nombres de Container o Attribute. • https://github.com/modxcms/revolution/issues/14104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20758
https://notcve.org/view.php?id=CVE-2018-20758
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante las opciones de usuario como "Description". • https://github.com/modxcms/revolution/issues/14103 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 3CVE-2018-1000207 – Modx Revolution Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-1000207
13 Jul 2018 — MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68. MODX Revolution en versiones iguales o anteriores a la 2.6.4 contiene una vulnerabilidad de control de acceso incorrecto en el filtrado de p... • https://packetstorm.news/files/id/148597 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000208
https://notcve.org/view.php?id=CVE-2018-1000208
13 Jul 2018 — MODX Revolution version <=2.6.4 contains a Directory Traversal vulnerability in /core/model/modx/modmanagerrequest.class.php that can result in remove files. This attack appear to be exploitable via web request via security/login processor. This vulnerability appears to have been fixed in pull 13980. MODX Revolution en versiones iguales o anteriores a la 2.6.4 contiene una vulnerabilidad de salto de directorio en /core/model/modx/modmanagerrequest.class.php que puede resultar en la eliminación de archivos. ... • https://github.com/modxcms/revolution/pull/13980 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10382
https://notcve.org/view.php?id=CVE-2018-10382
01 Jun 2018 — MODX Revolution 2.6.3 has XSS. MODX Revolution 2.6.3 tiene Cross-Site Scripting (XSS). • https://github.com/modxcms/revolution/pull/13887 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000223
https://notcve.org/view.php?id=CVE-2017-1000223
17 Nov 2017 — A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS. Una vulnerabilidad de inyección de contenidos web (WCI) almacenada, también conocida como Cross-Site Scripting (XSS), está presente... • https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-11744
https://notcve.org/view.php?id=CVE-2017-11744
30 Jul 2017 — In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module. En MODX Revolution versión 2.5.7, los parámetros "key" y "name" en el módulo Configuración de Sistema son vulnerables a ataques de tipo XSS. Cada usuario que acceda a este módulo activará una carga maliciosa enviada hacia el archivo connectors/index.php que será activado por cada usuario, ... • https://github.com/modxcms/revolution/issues/13564 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •