Filtered by vendor Modx
Subscriptions
Total
43 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2015-6588 | 1 Modx | 1 Modx Revolution | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in login-fsp.html in MODX Revolution before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. | ||||
CVE-2016-10037 | 1 Modx | 1 Modx Revolution | 2024-08-06 | 7.3 High |
Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist. | ||||
CVE-2016-10039 | 1 Modx | 1 Modx Revolution | 2024-08-06 | 7.3 High |
Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles. | ||||
CVE-2016-10038 | 1 Modx | 1 Modx Revolution | 2024-08-06 | N/A |
Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove. | ||||
CVE-2017-1000067 | 1 Modx | 1 Revolution | 2024-08-05 | N/A |
MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges. | ||||
CVE-2017-7322 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 8.1 High |
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate. | ||||
CVE-2017-7320 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 6.1 Medium |
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. | ||||
CVE-2017-7324 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 9.8 Critical |
setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | ||||
CVE-2017-7323 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 8.1 High |
The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism. | ||||
CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 9.8 Critical |
setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | ||||
CVE-2018-1000207 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68. | ||||
CVE-2018-20757 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name. | ||||
CVE-2018-20755 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. | ||||
CVE-2018-20758 | 1 Modx | 1 Modx Revolution | 2024-08-05 | 5.4 Medium |
MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description. | ||||
CVE-2018-20756 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs. | ||||
CVE-2018-16637 | 1 Modx | 1 Evolution Cms | 2024-08-05 | N/A |
Evolution CMS 1.4.x allows XSS via the page weblink title parameter to the manager/ URI. | ||||
CVE-2018-16638 | 1 Modx | 1 Evolution Cms | 2024-08-05 | N/A |
Evolution CMS 1.4.x allows XSS via the manager/ search parameter. | ||||
CVE-2018-10382 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution 2.6.3 has XSS. | ||||
CVE-2019-1010178 | 1 Modx | 1 Fred | 2024-08-05 | 9.8 Critical |
Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246. | ||||
CVE-2019-1010123 | 1 Modx | 1 Modx Revolution | 2024-08-05 | N/A |
MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with custom a filename and content. The component is: Filtering user parameters before passing them into phpthumb class. The attack vector is: web request via /assets/components/gallery/connector.php. |