CVE-2010-5278
published 2012-10-07CVE-2010-5278: Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is…
PriorityP339medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
17.03%
96.7th percentile
Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modx | modx_revolution | <= 2.0.2 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MODx manager - '/controllers/default/resource/tvs.php?class_key' Traversal Local File Inclusion
exploitdb·2010-09-29
CVE-2010-5278 MODx manager - '/controllers/default/resource/tvs.php?class_key' Traversal Local File Inclusion
MODx manager - '/controllers/default/resource/tvs.php?class_key' Traversal Local File Inclusion
---
source: https://www.securityfocus.com/bid/43577/info
MODx is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
MOD
Nuclei
MODx manager - Local File Inclusion
nuclei·CVSS 4.3
CVE-2010-5278 [MEDIUM] MODx manager - Local File Inclusion
MODx manager - Local File Inclusion
A directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl and possibly earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter when magic_quotes_gpc is disabled.
Template:
id: CVE-2010-5278
info:
name: MODx manager - Local File Inclusion
author: daffainfo
severity: medium
description: A directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl and possibly earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter when magic_quotes_gpc is disabled.
impact: |
An attacker can exploit this vulnerability to read arbitrary files on the server, potentially leading
http://modxcms.com/forums/index.php/topic%2C55104.0.htmlhttp://modxcms.com/forums/index.php/topic%2C55105.msg317273.htmlhttp://packetstormsecurity.org/1009-exploits/modx202pl-lfi.txthttp://secunia.com/advisories/41638http://www.johnleitch.net/Vulnerabilities/MODx.Revolution.2.0.2-pl.Local.File.Inclusion/49http://www.osvdb.org/68265http://www.securityfocus.com/bid/43577https://exchange.xforce.ibmcloud.com/vulnerabilities/62073http://modxcms.com/forums/index.php/topic%2C55104.0.htmlhttp://modxcms.com/forums/index.php/topic%2C55105.msg317273.htmlhttp://packetstormsecurity.org/1009-exploits/modx202pl-lfi.txthttp://secunia.com/advisories/41638http://www.johnleitch.net/Vulnerabilities/MODx.Revolution.2.0.2-pl.Local.File.Inclusion/49http://www.osvdb.org/68265http://www.securityfocus.com/bid/43577https://exchange.xforce.ibmcloud.com/vulnerabilities/62073
2012-10-07
Published