cbcvebase.

Modx Revolution vulnerabilities

15 known vulnerabilities affecting modx/revolution.

Total CVEs
15
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH5MEDIUM7LOW2

Vulnerabilities

Page 1 of 1
CVE-2018-1000207P2HIGHExploited≥ 0, < 2.7.02022-05-13
CVE-2018-1000207 [HIGH] CWE-732 MODX Revolution Incorrect Access Control vulnerability MODX Revolution Incorrect Access Control vulnerability MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb95
ghsaosv
CVE-2022-26149P3HIGHCVSS 7.2PoC≤ 2.8.32022-02-26
CVE-2022-26149 [HIGH] CWE-434 CVE-2022-26149: MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary cod MODX Revolution through 2.8.3-pl allows remote authenticated administrators to execute arbitrary code by uploading an executable file, because the Uploadable File Types setting can be changed by an administrator.
ghsanvdosv
CVE-2017-1000067P3HIGHCVSS 8.8v2.0.0v2.0.1+27 more2017-07-17
CVE-2017-1000067 [HIGH] CWE-89 CVE-2017-1000067: MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitiza MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injection caused by improper sanitization by the escape method resulting in authenticated user accessing database and possibly escalating privileges.
ghsanvdosv
CVE-2017-9069P3HIGH≥ 0, < 2.5.72022-05-17
CVE-2017-9069 [HIGH] CWE-434 MODX Revolution allows overwriting .htaccess MODX Revolution allows overwriting .htaccess In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name .htaccess.
ghsaosv
CVE-2020-25911P3CRITICAL≥ 0, < 2.8.02021-11-01
CVE-2020-25911 [CRITICAL] CWE-611 XML External Entity vulnerability in MODX CMS XML External Entity vulnerability in MODX CMS A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
ghsaosv
CVE-2010-4883P4LOWCVSS 2.6PoCv2.0.2-pl2011-10-07
CVE-2010-4883 [LOW] CWE-79 CVE-2010-4883: Cross-site scripting (XSS) vulnerability in manager/index.php in MODx Revolution 2.0.2-pl allows rem Cross-site scripting (XSS) vulnerability in manager/index.php in MODx Revolution 2.0.2-pl allows remote attackers to inject arbitrary web script or HTML via the modhash parameter.
nvd
CVE-2017-9067P4HIGH≥ 0, < 2.5.72022-05-17
CVE-2017-9067 [HIGH] CWE-22 MODX Revolution Directory Traversal Vulnerability MODX Revolution Directory Traversal Vulnerability In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.
ghsaosv
CVE-2025-28010P4LOW≥ 0, ≤ 3.1.02025-03-13
CVE-2025-28010 [LOW] CWE-79 MODX allows cross-site scripting (XSS) via an SVG file MODX allows cross-site scripting (XSS) via an SVG file A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
ghsaosv
CVE-2018-20756P4MEDIUM≥ 0, < 2.7.1-pl2022-05-14
CVE-2018-20756 [MEDIUM] CWE-79 MODX Revolution allows XSS via document resources MODX Revolution allows XSS via document resources MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a Quick Edit action, or the viewing of manager logs.
ghsaosv
CVE-2018-20757P4MEDIUM≥ 0, < 2.7.1-pl2022-05-14
CVE-2018-20757 [MEDIUM] CWE-79 MODX Revolution allows XSS through extended user fields MODX Revolution allows XSS through extended user fields MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as a Container name or Attribute name.
ghsaosv
CVE-2018-20755P4MEDIUM≥ 0, < 2.7.1-pl2022-05-14
CVE-2018-20755 [MEDIUM] CWE-79 MODX Revolution vulnerable to XSS attack through its User Photo field MODX Revolution vulnerable to XSS attack through its User Photo field MODX Revolution through v2.7.0-pl allows XSS via the User Photo field.
ghsaosv
CVE-2018-20758P4MEDIUM≥ 0, < 2.7.1-pl2022-05-13
CVE-2018-20758 [MEDIUM] CWE-79 MODX vulnerability allows for XSS via user settings parameters MODX vulnerability allows for XSS via user settings parameters MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description.
ghsaosv
CVE-2017-9068P4MEDIUM≥ 0, < 2.5.72022-05-17
CVE-2017-9068 [MEDIUM] CWE-79 MODX Revolution Reflected XSS MODX Revolution Reflected XSS In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page, as demonstrated by the database_type parameter.
ghsaosv
CVE-2017-9070P4MEDIUM≥ 0, < 2.5.72022-05-17
CVE-2017-9070 [MEDIUM] CWE-79 MODX Revolution cross-site scripting vulnerability MODX Revolution cross-site scripting vulnerability In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.
ghsaosv
CVE-2017-9071P4MEDIUM≥ 0, < 2.5.72022-05-17
CVE-2017-9071 [MEDIUM] CWE-79 MODX Revolution XSS via HTTP Host header MODX Revolution XSS via HTTP Host header In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning.
ghsaosv
Modx Revolution vulnerabilities | cvebase