Modx

Modx Revolution

36 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.1

CVE-2017-7323

Exploit
  • EPSS 1.13%
  • Veröffentlicht 30.03.2017 07:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the ...

8.1

CVE-2017-7322

Exploit
  • EPSS 0.51%
  • Veröffentlicht 30.03.2017 07:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via ...

9.8

CVE-2017-7321

Exploit
  • EPSS 2.18%
  • Veröffentlicht 30.03.2017 07:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI.

6.1

CVE-2017-7320

Exploit
  • EPSS 0.31%
  • Veröffentlicht 30.03.2017 07:59:00
  • Zuletzt bearbeitet 13.05.2026 00:24:29

setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or con...

7.5

CVE-2016-10037

  • EPSS 0.79%
  • Veröffentlicht 24.12.2016 11:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist.

7.5

CVE-2016-10038

  • EPSS 0.79%
  • Veröffentlicht 24.12.2016 11:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove.

7.5

CVE-2016-10039

  • EPSS 0.79%
  • Veröffentlicht 24.12.2016 11:59:00
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles.

4.3

CVE-2014-8992

Exploit
  • EPSS 0.23%
  • Veröffentlicht 22.12.2014 19:59:03
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback parameter.

5

CVE-2014-8775

Exploit
  • EPSS 12.06%
  • Veröffentlicht 03.12.2014 18:59:06
  • Zuletzt bearbeitet 06.05.2026 22:30:45

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

4.3

CVE-2014-8774

Exploit
  • EPSS 0.89%
  • Veröffentlicht 03.12.2014 18:59:05
  • Zuletzt bearbeitet 06.05.2026 22:30:45

Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter.