CVE-2010-1426
https://notcve.org/view.php?id=CVE-2010-1426
SQL injection vulnerability in MODx Evolution before 1.0.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors related to WebLogin. Vulnerabilidad de inyección SQL en MODx Evolution anterior a 1.0.3, permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores desconocidos relacionados con WebLogin. • http://jvn.jp/en/jp/JVN19774883/index.html http://jvndb.jvn.jp/ja/contents/2010/JVNDB-2010-000012.html http://modxcms.com/forums/index.php/topic%2C47759.msg280304.html#msg280304 http://secunia.com/advisories/39298 https://exchange.xforce.ibmcloud.com/vulnerabilities/57636 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-5941
https://notcve.org/view.php?id=CVE-2008-5941
Cross-site request forgery (CSRF) vulnerability in MODx 0.9.6.1p2 and earlier allows remote attackers to perform unauthorized actions as other users via unknown vectors. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en MODx 0.9.6.1p2 y anteriores permite a atacantes remotos realizar acciones no autorizadas como otros usuarios mediante vectores desconocidos. • http://jvn.jp/en/jp/JVN66828183/index.html http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000004.html http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-5942
https://notcve.org/view.php?id=CVE-2008-5942
Multiple cross-site scripting (XSS) vulnerabilities in MODx before 0.9.6.3 allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the preserveUrls function and (2) "username input." NOTE: vector 2 may be related to CVE-2008-5939. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en MODx anterior a v0.9.6.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores relacionados con (1) la función preserveUrls y (2) "entrada de nombre de usuario." NOTA: el vector 2 puede estar relacionado con CVE-2008-5939. • http://jvn.jp/en/jp/JVN10170564/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000003.html http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt http://www.securityfocus.com/bid/33184 https://exchange.xforce.ibmcloud.com/vulnerabilities/48184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-5940
https://notcve.org/view.php?id=CVE-2008-5940
SQL injection vulnerability in index.php in MODx 0.9.6.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the searchid parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en index.php en MODx v0.9.6.2 y versiones anteriores, cuando magic_quotes_gpc no está activo, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "searchid". NOTA: algunos de estos detalles han sido obtenidos a partir de la información de terceros. • http://jvn.jp/en/jp/JVN72630020/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000005.html http://secunia.com/advisories/33405 http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt http://www.securityfocus.com/bid/33182 https://exchange.xforce.ibmcloud.com/vulnerabilities/47840 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-5939 – MODx CMS 0.9.6.2 - Remote File Inclusion / Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-5939
Cross-site scripting (XSS) vulnerability in index.php in MODx CMS 0.9.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in the username field, possibly related to snippet.ditto.php. NOTE: some sources list the id parameter as being affected, but this is probably incorrect based on the original disclosure. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en index.php en MODx CMS 0.9.6.2 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante un evento JavaScript en el parámetro id, posiblemente relacionado con snippet.ditto.php. • https://www.exploit-db.com/exploits/7204 http://securityreason.com/securityalert/4940 http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt http://www.securityfocus.com/bid/32436 http://www.vupen.com/english/advisories/2008/3236 https://exchange.xforce.ibmcloud.com/vulnerabilities/46796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •