Modx: >> Modx Revolution >> 1.7.0 Security Vulnerabilities
Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles.
CVSS Score
7.3
EPSS Score
0.008
Published
2016-12-24
Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the (1) session ID (PHPSESSID) to index.php or remote authenticated users to execute arbitrary SQL commands via the (2) user parameter to connectors/security/message.php or (3) id parameter to manager/index.php.
CVSS Score
7.5
EPSS Score
0.004
Published
2014-04-24
Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in ModX Revolution before 2.2.11 allows remote attackers to inject arbitrary web script or HTML via the "a" parameter.
CVSS Score
4.3
EPSS Score
0.003
Published
2014-03-01
Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. NOTE: some of these details are obtained from third party information.
CVSS Score
4.3
EPSS Score
0.234
Published
2012-10-07
Page 3