Main Vulnerability Database Vulnerabilities #VU41040

#VU41040 Information disclosure in MODX Revolution - CVE-2014-8775

Published: December 3, 2014 / Updated: August 9, 2020

Vulnerability identifier: #VU41040

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2014-8775

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
MODX Revolution

Software vendor:
MODX

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Remediation

Install update from vendor's website.

External links

http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
http://hacktivity.websecgeeks.com/modx-csrf-and-xss/

#VU41040 Information disclosure in MODX Revolution - CVE-2014-8775

Description

Remediation

External links

Please verify you're human