Vulnerabilities > Modx > Modx Revolution > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-31 | CVE-2020-25911 | XXE vulnerability in Modx Revolution 2.7.3 A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS). | 6.4 |
| 2019-07-23 | CVE-2019-1010123 | Unrestricted Upload of File with Dangerous Type vulnerability in Modx Revolution MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. | 5.0 |
| 2019-02-06 | CVE-2018-20757 | Cross-site Scripting vulnerability in Modx Revolution MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name. | 4.3 |
| 2019-02-06 | CVE-2018-20756 | Cross-site Scripting vulnerability in Modx Revolution MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs. | 4.3 |
| 2019-02-06 | CVE-2018-20755 | Cross-site Scripting vulnerability in Modx Revolution MODX Revolution through v2.7.0-pl allows XSS via the User Photo field. | 4.3 |
| 2018-07-13 | CVE-2018-1000208 | Path Traversal vulnerability in Modx Revolution MODX Revolution version <=2.6.4 contains a Directory Traversal vulnerability in /core/model/modx/modmanagerrequest.class.php that can result in remove files. | 6.4 |
| 2018-07-13 | CVE-2018-1000207 | Incorrect Permission Assignment for Critical Resource vulnerability in Modx Revolution MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. | 6.5 |
| 2017-08-29 | CVE-2015-6588 | Cross-site Scripting vulnerability in Modx Revolution Cross-site scripting (XSS) vulnerability in login-fsp.html in MODX Revolution before 1.9.1 allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING. | 4.3 |
| 2017-07-30 | CVE-2017-11744 | Cross-site Scripting vulnerability in Modx Revolution 2.5.7 In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. | 4.3 |
| 2017-05-18 | CVE-2017-9069 | Unrestricted Upload of File with Dangerous Type vulnerability in Modx Revolution In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess. | 6.5 |