MODX Revolution 2.3.3-pl Cross Site Scripting

Posted on 30 June 2015

#Affected Vendor: http://modx.com/ #Date: 08/05/2015 #Creditee: http://osvdb.org/creditees/13518-vadodil-joel-varghese #Type of vulnerability: Multiple Cross Site Scripting Vulnerability #Tested on: Windows 8.1 #Product: MODX Revolution #Version: 2.3.3-pl "Content" field in create new resources ( http://localhost/modx/manager/?a=resource/create), "lexicon key" and "Description" field in create menu ( http://localhost/modx/manager/?a=system/action), "Name" and "Description" field in create dashboard ( http://localhost/modx/manager/?a=system/dashboards/create) The above mentioned fields were found to be vulnerable to Stored XSS. The PoC used is "><img src="blah.jpg" onerror="alert('XSS')"/>. Notified Vendor: 08/05/2015 No response received for the vendor Public Disclosure: 29/06/2015 -- Regards, *Joel V*

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Relate Cross Site Scripting
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass
Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Insecure Direct Object Reference

Last 20