CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 3CVE-2022-26149 – MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-26149
26 Feb 2022 — MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator. MODX Revolution versiones hasta 2.8.3-pl, permite a administradores remotos autenticados ejecutar código arbitrario al subir un archivo ejecutable, ya que la configuración de Tipos de Archivos para Subir puede ser cambiada por un administrador. MODX Revolution version 2.8.3-pl suffers from an authe... • https://packetstorm.news/files/id/171488 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 37EXPL: 0CVE-2017-1000067
https://notcve.org/view.php?id=CVE-2017-1000067
13 Jul 2017 — MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges. MODX Revolution versión 2.x hasta 2.5.6, es vulnerable a inyección SQL ciega causada por un saneamiento inapropiado mediante el método de escape, resultando en que un usuario autenticado acceda a la base de datos y posiblemente escale privilegios. • https://github.com/modxcms/revolution/blob/9bf1c6cf7bdc12190b404f93ce7798b39c07bc59/core/xpdo/changelog.txt • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 29EXPL: 2CVE-2014-8773 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8773
03 Dec 2014 — MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter. MODX Revolution 2.x anterior a 2.2.15 permite a atacantes remotos evadir el mecanismo de protección de CSRF mediante la (1) omisión del token CSRF o a través de una (2) cadena larga en el parámetro del token CSRF. • https://www.exploit-db.com/exploits/35159 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 29EXPL: 2CVE-2014-8774 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8774
03 Dec 2014 — Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. Vulnerabilidad de XSS en manager/index.php en MODX Revolution 2.x anterior a 2.2.15 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro context_key. • https://www.exploit-db.com/exploits/35159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 6%CPEs: 29EXPL: 2CVE-2014-8775 – MODx CMS 2.2.14 - Cross-Site Request Forgery Bypass / Reflected Cross-Site Scripting / Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8775
03 Dec 2014 — MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. MODX Revolution 2.x anterior a 2.2.15 no incluye el indicador HTTPOnly en una cabecera de fijar la cookie en la cookie de la sesión, lo que facilita a atacantes remotos obtener información potencialmente sensible a través del acceso de secuencias de comandos a esta cookie. • https://www.exploit-db.com/exploits/35159 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 28EXPL: 1CVE-2014-2736 – MODx Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-2736
21 Apr 2014 — Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php. Múltiples vulnerabilidades de inyección SQL en MODX Revolution anterior a 2.2.14 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de (1) ID de se... • https://packetstorm.news/files/id/126248 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 27EXPL: 0CVE-2014-2311
https://notcve.org/view.php?id=CVE-2014-2311
11 Mar 2014 — SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en modx.class.php en MODX Revolution 2.0.0 anterior a 2.2.13 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://forums.modx.com/thread/89486/modx-revolution-2-x-sql-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 26EXPL: 1CVE-2014-2080
https://notcve.org/view.php?id=CVE-2014-2080
28 Feb 2014 — Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in ModX Revolution before 2.2.11 allows remote attackers to inject arbitrary web script or HTML via the "a" parameter. Vulnerabilidad de XSS en manager/templates/default/header.tpl en ModX Revolution en versiones anteriores a 2.2.11 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro "a". • http://modx.com/blog/2014/01/21/revolution-2.2.11%E2%80%94security-fixes-and-prevent-change-loss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •