Cross-site scripting in MODX Revolution

#VU38632 Cross-site scripting in MODX Revolution

Published: 2017-07-30 | Updated: 2020-08-08

Vulnerability identifier: #VU38632

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11744

CWE-ID: CWE-79

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
MODX Revolution
Web applications / CMS

Vendor: MODX

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to connectors/index.php will be triggered by every user, when they visit this module.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MODX Revolution: 2.5.7

External links
http://github.com/modxcms/revolution/issues/13564

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MODX Revolution