Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

MODX Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-1000223)

Description

A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.

Remediation

References

CVE-2017-1000223

Related Vulnerabilities

Squid Improper Input Validation Vulnerability (CVE-2015-3455)

WordPress Plugin MasterStudy LMS-for Online Courses and Education Local File Inclusion (3.3.3)

Python Improper Input Validation Vulnerability (CVE-2013-4238)

Oracle HTTP Server Improper Certificate Validation Vulnerability (CVE-2020-26184)

MySQL CVE-2014-0420 Vulnerability (CVE-2014-0420)

Severity

Medium

Classification

CVE-2017-1000223 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities