CVE-2017-1000223
published 2017-11-17CVE-2017-1000223: A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with…
PriorityP424medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
0.50%
38.9th percentile
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| modx | modx_revolution | <= 2.5.6 | — |
| surina | soundtouch | >= 0 < 1.7.1-5ubuntu0.1~esm1 | 1.7.1-5ubuntu0.1~esm1 |
| surina | soundtouch | >= 0 < 1.9.2-2+deb9u1ubuntu0.1~esm1 | 1.9.2-2+deb9u1ubuntu0.1~esm1 |
| surina | soundtouch | >= 0 < 1.9.2-3ubuntu0.1~esm1 | 1.9.2-3ubuntu0.1~esm1 |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ppg3-7pr3-2m73: A stored web content injection vulnerability (WCI, a
ghsa_unreviewed·2022-05-17
CVE-2017-1000223 [MEDIUM] CWE-79 GHSA-ppg3-7pr3-2m73: A stored web content injection vulnerability (WCI, a
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.
OSV
soundtouch vulnerabilities
osv·2021-03-15·CVSS 5.5
CVE-2017-9258 soundtouch vulnerabilities
soundtouch vulnerabilities
It was discovered that SoundTouch incorrectly handled certain WAV files. A
remote attacker could possibly use this issue to cause a denial of service.
This issue only affected Ubuntu 14.04 ESM. (CVE-2017-9258, CVE-2017-9259,
CVE-2017-9260)
It was discovered that SoundTouch incorrectly handled ccertain WAV files. A
remote attacker could possibly use this issue to cause arbitrary code
execution. (CVE-2018-1000223)
It was discovered that SoundTouch incorrectly handled certain inputs. A
remote attacker could possibly use this issue to cause a denial of service.
(CVE-2018-17096)
It was discovered that SoundTouch incorrectly handled certain WAV files. A
remote attacker could possibly use this issue to cause a denial of service
or other unspecified impact. (CVE-2018
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-11-17
Published