Vulnerabilities > Modx > Modx Revolution
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-03-30 | CVE-2017-7323 | Multiple Security vulnerability in MODX Revolution CMS The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code by leveraging the lack of the HTTPS protection mechanism. network modx | 6.8 |
| 2017-03-30 | CVE-2017-7322 | Improper Certificate Validation vulnerability in Modx Revolution The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and trigger the execution of arbitrary code via a crafted certificate. | 6.8 |
| 2017-03-30 | CVE-2017-7321 | Code Injection vulnerability in Modx Revolution setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | 7.5 |
| 2017-03-30 | CVE-2017-7320 | Cross-site Scripting vulnerability in Modx Revolution setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value. | 4.3 |
| 2016-12-24 | CVE-2016-10039 | Path Traversal vulnerability in Modx Revolution Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/getfiles. | 7.5 |
| 2016-12-24 | CVE-2016-10038 | Path Traversal vulnerability in Modx Revolution Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted dir parameter, related to browser/directory/remove. | 7.5 |
| 2016-12-24 | CVE-2016-10037 | Path Traversal vulnerability in Modx Revolution Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter, related to browser/directory/getlist. | 7.5 |
| 2014-12-22 | CVE-2014-8992 | Cross-Site Scripting vulnerability in Modx Revolution 2.3.2 Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback parameter. | 4.3 |
| 2014-12-03 | CVE-2014-8775 | Information Exposure vulnerability in Modx Revolution MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | 5.0 |
| 2014-12-03 | CVE-2014-8774 | Cross-Site Scripting vulnerability in Modx Revolution Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject arbitrary web script or HTML via the context_key parameter. | 4.3 |