CVSS: 8.8EPSS: 0%CPEs: 29EXPL: 2CVE-2014-8773 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8773
03 Dec 2014 — MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter. MODX Revolution 2.x anterior a 2.2.15 permite a atacantes remotos evadir el mecanismo de protección de CSRF mediante la (1) omisión del token CSRF o a través de una (2) cadena larga en el parámetro del token CSRF. • https://www.exploit-db.com/exploits/35159 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 2CVE-2014-8774 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8774
03 Dec 2014 — Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. Vulnerabilidad de XSS en manager/index.php en MODX Revolution 2.x anterior a 2.2.15 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro context_key. • https://www.exploit-db.com/exploits/35159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 6%CPEs: 29EXPL: 2CVE-2014-8775 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8775
03 Dec 2014 — MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. MODX Revolution 2.x anterior a 2.2.15 no incluye el indicador HTTPOnly en una cabecera de fijar la cookie en la cookie de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso de secuencias de comandos a esta cookie. • https://www.exploit-db.com/exploits/35159 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 5CVE-2014-5451 – MODX Revolution 2.3.1-pl Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-5451
17 Sep 2014 — Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in MODX Revolution 2.3.1-pl and earlier allows remote attackers to inject arbitrary web script or HTML via the "a" parameter to manager/. NOTE: this issue exists because of a CVE-2014-2080 regression. Vulnerabilidad de XSS en manager/templates/default/header.tpl en MODX Revolution 2.3.1-pl y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro 'a' en manager/. NOTA... • https://packetstorm.news/files/id/128302 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 28EXPL: 1CVE-2014-2736 – MODx Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-2736
21 Apr 2014 — Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. Múltiples vulnerabilidades de inyección SQL en MODX Revolution anterior a 2.2.14 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de (1) ID de se... • https://packetstorm.news/files/id/126248 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •