Page 3 of 18 results (0.008 seconds)

CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 2

Cross-site scripting (XSS) vulnerability in index.php in MODx CMS 0.9.6.2 and earlier allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in the username field, possibly related to snippet.ditto.php. NOTE: some sources list the id parameter as being affected, but this is probably incorrect based on the original disclosure. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en index.php en MODx CMS 0.9.6.2 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección mediante un evento JavaScript en el parámetro id, posiblemente relacionado con snippet.ditto.php. • https://www.exploit-db.com/exploits/7204 http://securityreason.com/securityalert/4940 http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt http://www.securityfocus.com/bid/32436 http://www.vupen.com/english/advisories/2008/3236 https://exchange.xforce.ibmcloud.com/vulnerabilities/46796 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 4%CPEs: 7EXPL: 2

PHP remote file inclusion vulnerability in assets/snippets/reflect/snippet.reflect.php in MODx CMS 0.9.6.2 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary PHP code via a URL in the reflect_base parameter. Vulnerabilidad de inclusión remota de archivos en PHP en assets/snippets/reflect/snippet.reflect.php en MODx CMS v0.9.6.2 y versiones anteriores, cuando magic_quotes_gpc no está activo, permite a atacantes remotos ejecutar código PHP de su elección a través de una URL en el parámetro "reflect_base". • https://www.exploit-db.com/exploits/7204 http://secunia.com/advisories/32824 http://securityreason.com/securityalert/4940 http://svn.modxcms.com/svn/tattoo/tattoo/releases/0.9.6.3/install/changelog.txt http://www.securityfocus.com/bid/32436 http://www.vupen.com/english/advisories/2008/3236 https://exchange.xforce.ibmcloud.com/vulnerabilities/46797 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.4EPSS: 2%CPEs: 1EXPL: 4

Multiple directory traversal vulnerabilities in MODx Content Management System 0.9.6.1 allow remote attackers to (1) include and execute arbitrary local files via a .. (dot dot) in the as_language parameter to assets/snippets/AjaxSearch/AjaxSearch.php, reached through index-ajax.php; and (2) read arbitrary local files via a .. (dot dot) in the file parameter to assets/js/htcmime.php. Múltiples vulnerabilidades de salto de directorio en MODx Content Management System 0.9.6.1 permiten a atacantes remotos (1) incluir y ejecutar ficheros locales de su elección mediante un .. (punto punto) en el parámetro as_language en assets/snippets/AjaxSearch/AjaxSearch.php, alcanzado a través de index-ajax.php; y (2) leer ficheros locales de su elección mediante un .. • https://www.exploit-db.com/exploits/30969 https://www.exploit-db.com/exploits/30968 http://modxcms.com/forums/index.php/topic%2C21290.0.html http://secunia.com/advisories/28220 http://securityreason.com/securityalert/3522 http://www.securityfocus.com/archive/1/485707/100/0/threaded http://www.securityfocus.com/bid/27096 http://www.securityfocus.com/bid/27097 https://exchange.xforce.ibmcloud.com/vulnerabilities/39352 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

Multiple SQL injection vulnerabilities in mutate_content.dynamic.php in MODx 0.9.6 allow remote attackers to execute arbitrary SQL commands via the (1) documentDirty or (2) modVariables parameter. Múltiples vulnerabilidades de inyección SQL en mutate_content.dynamic.php de MODx 0.9.6 permiten a atacantes remotos ejecutar comandos SQL de su elección a través de los parámetros (1) documentDirty o (2) modVariables. • http://osvdb.org/38584 http://securityreason.com/securityalert/3215 http://www.securityfocus.com/archive/1/481870/100/0/threaded • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0

download.php in the MuddyDogPaws FileDownload snippet before 2.5 for MODx allows remote attackers to download arbitrary files, as demonstrated by downloading config.inc.php to obtain database credentials. download.php en el fragmento de código MuddyDogPaws FileDownload versiones anteriores a 2.5 para MODx, permite a atacantes remotos descargar ficheros de su elección, como se demuestra descargando config.inc.php para obtener credenciales de base de datos. • http://modxcms.com/forums/index.php/topic%2C10470.0.html http://secunia.com/advisories/23953 http://www.muddydogpaws.com/Home.html http://www.securityfocus.com/bid/22327 http://www.vupen.com/english/advisories/2007/0426 •