rthrash Reply #1, 4 years, 3 months ago
The MODx team believes the following security notice is sophistical – plausible but misleading (some would refer to it as "FUD"). We are continuing further investigations.
[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities
To reproduce the security compromises listed above, a malicious hacker would first have to hijack a valid manager session, then convince someone to visit a link to the site with that session and their XSS content inserted. This could be of concern however in the instance when you have a large Manager User base of untrusted individuals. In either case, there are larger security implications.
For more information and discussion, please visit this thread in these forums. We do not have every server or browser combination under which we can test the above listed compromises, so we would tremendously appreciate assistance/confirmation . If you are able to reproduce them or have additional information, please post information in the discussion and we will update this notice immediately with corrective actions.
[DSECRG-08-013] Modx 0.9.6.1, 0.9.6.1p1 Multiple Security Vulnerabilities
To reproduce the security compromises listed above, a malicious hacker would first have to hijack a valid manager session, then convince someone to visit a link to the site with that session and their XSS content inserted. This could be of concern however in the instance when you have a large Manager User base of untrusted individuals. In either case, there are larger security implications.
For more information and discussion, please visit this thread in these forums. We do not have every server or browser combination under which we can test the above listed compromises, so we would tremendously appreciate assistance/confirmation . If you are able to reproduce them or have additional information, please post information in the discussion and we will update this notice immediately with corrective actions.