Description

In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the pagetitle parameter to connectors/index.php.

Remediation

References

CVE-2017-9070

Related Vulnerabilities

WordPress Plugin BuddyPress Security Bypass (2.3.4)

Drupal Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-5267)

Oracle Database Server CVE-2009-1964 Vulnerability (CVE-2009-1964)

Drupal Reliance on Cookies without Validation and Integrity Checking Vulnerability (CVE-2022-29248)

Rukovoditel Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2020-13588)

Severity

Medium

Classification

CVE-2017-9070 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities