MODX Revolution 'callback' Parameter Cross-Site Scripting Vulnerability Network Vulnerability

Summary

This host is installed with MODX Revolution and is prone to cross-site scripting vulnerability.

Impact

Successful exploitation will allow remote attackers to execute arbitrary HTML and script code in a users browser session in the context of an affected site. Impact Level: Application

Solution

No solution or patch is available as of 9th February, 2015. Information regarding this issue will updated once the solution details are available. For updates refer to http://modx.com

Insight

The error exists because the /manager/assets/fileapi/FileAPI.flash.image.swf script does not validate input to the 'callback' parameter before returning it to users.

Affected

MODX Revolution version 2.3.2-pl.

Detection

Check the md5sum of the affected .swf files

References

http://osvdb.org/114868
https://github.com/modxcms/revolution/issues/12161

Updated on 2015-03-25

Severity

Classification

CVE CVE-2014-8992

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

APC PowerChute Network Shutdown HTTP Response Splitting Vulnerability
Adobe Presenter viewer.swf and loadflash.js XSS Vulnerability
AlienForm CGI script
Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities
AN Guestbook Local File Inclusion Vulnerability

Take action and discover your vulnerabilities