9.8

CVE-2019-1010178

Exploit

Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246.

Data is provided by the National Vulnerability Database (NVD)
ModxFred Version1.0.0 Update- SwPlatformmodx
ModxFred Version1.0.0 Updatebeta2 SwPlatformmodx
ModxFred Version1.0.0 Updatebeta4 SwPlatformmodx
ModxFred Version1.0.0 Updatepl SwPlatformmodx
ModxFred Version1.0.0 Updaterc SwPlatformmodx
ModxFred Version1.0.0 Updaterc1 SwPlatformmodx
ModxFred Version1.0.0 Updaterc2 SwPlatformmodx
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.37% 0.835
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://www.youtube.com/watch?v=vOlw2DP9WbE
Third Party Advisory
Exploit