CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-1010123
https://notcve.org/view.php?id=CVE-2019-1010123
23 Jul 2019 — MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. MODX Revolution Gallery versión 1.7.0, está afectado por: CWE-434: Carga sin Restricciones de Archivos con Tipos Peligrosos. • https://modx.pro/security/15912#comment-99640 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20755
https://notcve.org/view.php?id=CVE-2018-20755
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante el campo User Photo. • https://github.com/modxcms/revolution/issues/14102 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20756
https://notcve.org/view.php?id=CVE-2018-20756
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante un recurso de documento (como un pagetitle), que se gestiona de manera incorrecta durante una acción Update, Quick Edit, o durante la visualización de los registros de administración. • https://github.com/modxcms/revolution/issues/14105 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2018-20757
https://notcve.org/view.php?id=CVE-2018-20757
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante un campo de usuario extendido, como los nombres de Container o Attribute. • https://github.com/modxcms/revolution/issues/14104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20758
https://notcve.org/view.php?id=CVE-2018-20758
06 Feb 2019 — MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description. MODX Revolution, hasta la versión v2.7.0-pl, permite Cross-Site Scripting (XSS) mediante las opciones de usuario como "Description". • https://github.com/modxcms/revolution/issues/14103 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 3CVE-2018-1000207 – Modx Revolution Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-1000207
13 Jul 2018 — MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68. MODX Revolution en versiones iguales o anteriores a la 2.6.4 contiene una vulnerabilidad de control de acceso incorrecto en el filtrado de p... • https://packetstorm.news/files/id/148597 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-1000208
https://notcve.org/view.php?id=CVE-2018-1000208
13 Jul 2018 — MODX Revolution version <=2.6.4 contains a Directory Traversal vulnerability in /core/model/modx/modmanagerrequest.class.php that can result in remove files. This attack appear to be exploitable via web request via security/login processor. This vulnerability appears to have been fixed in pull 13980. MODX Revolution en versiones iguales o anteriores a la 2.6.4 contiene una vulnerabilidad de salto de directorio en /core/model/modx/modmanagerrequest.class.php que puede resultar en la eliminación de archivos. ... • https://github.com/modxcms/revolution/pull/13980 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-1000223
https://notcve.org/view.php?id=CVE-2017-1000223
17 Nov 2017 — A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS. Una vulnerabilidad de inyección de contenidos web (WCI) almacenada, también conocida como Cross-Site Scripting (XSS), está presente... • https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9068
https://notcve.org/view.php?id=CVE-2017-9068
18 May 2017 — In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the database_type parameter. En MODX Revolution en versiones anteriores a la 2.5.7, un atacante puede provocar Cross-Site Scripting (XSS) reflejado inyectando cargas útiles en varios campos en la página de configuración, tal y como se demuestra con el parámetro database_type. • https://citadelo.com/en/2017/04/modx-revolution-cms • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2017-9069
https://notcve.org/view.php?id=CVE-2017-9069
18 May 2017 — In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess. En MODX Revolution en versiones anteriores a la 2.5.7, usuarios con permisos para subir archivos pueden ejecutar código arbitrarios mediante la subida de un archivo denominado .htaccess. • https://citadelo.com/en/2017/04/modx-revolution-cms • CWE-434: Unrestricted Upload of File with Dangerous Type •