CVSS: 4.3EPSS: 0%CPEs: 29EXPL: 2CVE-2014-8774 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8774
Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. Vulnerabilidad de XSS en manager/index.php en MODX Revolution 2.x anterior a 2.2.15 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro context_key. • https://www.exploit-db.com/exploits/35159 http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior http://hacktivity.websecgeeks.com/modx-csrf-and-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 4CVE-2014-5451 – MODX Revolution 2.3.1-pl Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-5451
Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in MODX Revolution 2.3.1-pl and earlier allows remote attackers to inject arbitrary web script or HTML via the "a" parameter to manager/. NOTE: this issue exists because of a CVE-2014-2080 regression. Vulnerabilidad de XSS en manager/templates/default/header.tpl en MODX Revolution 2.3.1-pl y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro 'a' en manager/. NOTA: este problema existe debido a una regresión de CVE-2014-2080. MODX Revolution version 2.3.1-pl suffers from a reflective cross site scripting vulnerability. • http://packetstormsecurity.com/files/128302/MODX-Revolution-2.3.1-pl-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/533466/100/0/threaded http://www.securityfocus.com/bid/69884 https://github.com/modxcms/revolution/commit/e36f80f18e9514204bf2ce82747c8adf7e47a9c9 https://www.htbridge.com/advisory/HTB23229 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 28EXPL: 0CVE-2014-2736 – MODx Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-2736
Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. Múltiples vulnerabilidades de inyección SQL en MODX Revolution anterior a 2.2.14 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de (1) ID de sesión (PHPSESSID) hacia index.php o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través del (2) parámetro user hacia connectors/security/message.php o (3) parámetro id hacia manager/index.php. MODx versions prior to 2.2.14 suffer from multiple remote blind SQL injection vulnerabilities. • http://archives.neohapsis.com/archives/bugtraq/2014-04/0124.html http://forums.modx.com/thread/90173/modx-revolution-2-2-13-and-prior-blind-sql-injection http://secunia.com/advisories/58036 http://www.securityfocus.com/bid/66990 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 27EXPL: 0CVE-2014-2311
https://notcve.org/view.php?id=CVE-2014-2311
SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en modx.class.php en MODX Revolution 2.0.0 anterior a 2.2.13 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://forums.modx.com/thread/89486/modx-revolution-2-x-sql-injection http://modx.com/blog/2014/03/07/revolution-2.2.13 http://www.openwall.com/lists/oss-security/2014/03/09/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 26EXPL: 1CVE-2014-2080
https://notcve.org/view.php?id=CVE-2014-2080
Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in ModX Revolution before 2.2.11 allows remote attackers to inject arbitrary web script or HTML via the "a" parameter. Vulnerabilidad de XSS en manager/templates/default/header.tpl en ModX Revolution en versiones anteriores a 2.2.11 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro "a". • http://modx.com/blog/2014/01/21/revolution-2.2.11%E2%80%94security-fixes-and-prevent-change-loss http://seclists.org/oss-sec/2014/q1/431 http://secunia.com/advisories/57038 http://www.securityfocus.com/bid/65755 https://github.com/modxcms/revolution/commit/77463eb6a8090f474b04fdc1b72225cb93c558ea • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •