Information disclosure in MODX Revolution

#VU41040 Information disclosure in MODX Revolution

Published: 2020-08-09

Vulnerability identifier: #VU41040

Vulnerability risk: Medium

CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]

CVE-ID: CVE-2014-8775

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
MODX Revolution
Web applications / CMS

Vendor: MODX

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Mitigation
Install update from vendor's website.

Vulnerable software versions

MODX Revolution: 2.0.0 - 2.2.14

External links
http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
http://hacktivity.websecgeeks.com/modx-csrf-and-xss/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in MODX Revolution