Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for modx by modx

    CVE-2025-28010 (GCVE-0-2025-28010)

    Vulnerability from nvd – Published: 2025-03-13 00:00 – Updated: 2025-03-19 14:53
    VLAI
    Summary
    A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-28010",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T14:52:17.433731Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T14:53:43.217Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims\u0027 browsers when viewing the profile image."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-13T16:02:28.022Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/rtnthakur/CVE/blob/main/MODX/README.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-28010",
        "datePublished": "2025-03-13T00:00:00.000Z",
        "dateReserved": "2025-03-11T00:00:00.000Z",
        "dateUpdated": "2025-03-19T14:53:43.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-28010 (GCVE-0-2025-28010)

    Vulnerability from cvelistv5 – Published: 2025-03-13 00:00 – Updated: 2025-03-19 14:53
    VLAI
    Summary
    A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-28010",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T14:52:17.433731Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T14:53:43.217Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims\u0027 browsers when viewing the profile image."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-13T16:02:28.022Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/rtnthakur/CVE/blob/main/MODX/README.md"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2025-28010",
        "datePublished": "2025-03-13T00:00:00.000Z",
        "dateReserved": "2025-03-11T00:00:00.000Z",
        "dateUpdated": "2025-03-19T14:53:43.217Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    JVNDB-2009-000005

    Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54
    Severity
    N/A (UNKNOWN) - -
    Summary
    MODx vulnerable to SQL injection
    Details
    MODx, an open source contents management system, contains a SQL injection vulnerability. MODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000005.html",
      "dc:date": "2009-01-09T15:54+09:00",
      "dcterms:issued": "2009-01-09T15:54+09:00",
      "dcterms:modified": "2009-01-09T15:54+09:00",
      "description": "MODx, an open source contents management system, contains a SQL injection vulnerability.\r\n\r\nMODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel.\r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000005.html",
      "sec:cpe": {
        "#text": "cpe:/a:modx:modxcms",
        "@product": "MODX",
        "@vendor": "MODX",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "5.1",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2009-000005",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN72630020/index.html",
          "@id": "JVN#72630020",
          "@source": "JVN"
        },
        {
          "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5940",
          "@id": "CVE-2008-5940",
          "@source": "CVE"
        },
        {
          "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5940",
          "@id": "CVE-2008-5940",
          "@source": "NVD"
        },
        {
          "#text": "http://secunia.com/advisories/33405",
          "@id": "SA33405",
          "@source": "SECUNIA"
        },
        {
          "#text": "http://www.securityfocus.com/bid/33182",
          "@id": "33182",
          "@source": "BID"
        },
        {
          "#text": "http://xforce.iss.net/xforce/xfdb/47840",
          "@id": "47840",
          "@source": "XF"
        },
        {
          "#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000005.html",
          "@id": "JVNDB-2009-000005",
          "@source": "JVNDB_Ja"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-89",
          "@title": "SQL Injection(CWE-89)"
        }
      ],
      "title": "MODx vulnerable to SQL injection"
    }

    JVNDB-2009-000003

    Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54
    Severity
    N/A (UNKNOWN) - -
    Summary
    MODx cross-site scripting vulnerability
    Details
    MODx, an open source contents management system, contains a cross-site scripting vulnerability. MODx, an open source contents management system, contains multiple cross-site scripting vulnerabilities. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000003.html",
      "dc:date": "2009-01-09T15:54+09:00",
      "dcterms:issued": "2009-01-09T15:54+09:00",
      "dcterms:modified": "2009-01-09T15:54+09:00",
      "description": "MODx, an open source contents management system, contains a cross-site scripting vulnerability. \r\n\r\nMODx, an open source contents management system, contains multiple cross-site scripting vulnerabilities. \r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000003.html",
      "sec:cpe": {
        "#text": "cpe:/a:modx:modxcms",
        "@product": "MODX",
        "@vendor": "MODX",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "4.3",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2009-000003",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN10170564/index.html",
          "@id": "JVN#10170564",
          "@source": "JVN"
        },
        {
          "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5942",
          "@id": "CVE-2008-5942",
          "@source": "CVE"
        },
        {
          "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5942",
          "@id": "CVE-2008-5942",
          "@source": "NVD"
        },
        {
          "#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000003.html",
          "@id": "JVNDB-2009-000003",
          "@source": "JVNDB_Ja"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-79",
          "@title": "Cross-site Scripting(CWE-79)"
        }
      ],
      "title": "MODx cross-site scripting vulnerability"
    }

    JVNDB-2009-000004

    Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54
    Severity
    N/A (UNKNOWN) - -
    Summary
    MODx cross-site request forgery vulnerability
    Details
    MODx, an open source contents management system, contains a cross-site request forgery vulnerability. Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000004.html",
      "dc:date": "2009-01-09T15:54+09:00",
      "dcterms:issued": "2009-01-09T15:54+09:00",
      "dcterms:modified": "2009-01-09T15:54+09:00",
      "description": "MODx, an open source contents management system, contains a cross-site request forgery vulnerability.\r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
      "link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000004.html",
      "sec:cpe": {
        "#text": "cpe:/a:modx:modxcms",
        "@product": "MODX",
        "@vendor": "MODX",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "2.6",
        "@severity": "Low",
        "@type": "Base",
        "@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2009-000004",
      "sec:references": [
        {
          "#text": "http://jvn.jp/en/jp/JVN66828183/index.html",
          "@id": "JVN#66828183",
          "@source": "JVN"
        },
        {
          "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5941",
          "@id": "CVE-2008-5941",
          "@source": "CVE"
        },
        {
          "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5941",
          "@id": "CVE-2008-5941",
          "@source": "NVD"
        },
        {
          "#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000004.html",
          "@id": "JVNDB-2009-000004",
          "@source": "JVNDB_Ja"
        },
        {
          "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
          "@id": "CWE-352",
          "@title": "Cross-Site Request Forgery(CWE-352)"
        }
      ],
      "title": "MODx cross-site request forgery vulnerability"
    }

    JVNDB-2007-000094

    Vulnerability from jvndb - Published: 2008-05-21 00:00 - Updated:2008-05-21 00:00
    Severity
    N/A (UNKNOWN) - -
    Summary
    MODx cross-site scripting vulnerability
    Details
    MODxl, an open source content management system, contains a cross-site scripting vulnerability.
    Impacted products
    Show details on JVN DB website

    {
      "@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000094.html",
      "dc:date": "2008-05-21T00:00+09:00",
      "dcterms:issued": "2008-05-21T00:00+09:00",
      "dcterms:modified": "2008-05-21T00:00+09:00",
      "description": "MODxl, an open source content management system, contains a cross-site scripting vulnerability.",
      "link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000094.html",
      "sec:cpe": {
        "#text": "cpe:/a:modx:modxcms",
        "@product": "MODX",
        "@vendor": "MODX",
        "@version": "2.2"
      },
      "sec:cvss": {
        "@score": "4.3",
        "@severity": "Medium",
        "@type": "Base",
        "@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
        "@version": "2.0"
      },
      "sec:identifier": "JVNDB-2007-000094",
      "sec:references": {
        "#text": "http://jvn.jp/en/jp/JVN80271113/index.html",
        "@id": "JVN#80271113",
        "@source": "JVN"
      },
      "title": "MODx cross-site scripting vulnerability"
    }