Subscribe: RSS
  • Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: 1.0.6 and all previous releases
    Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
    Report Date: 2012-Nov-26
    Fixed Date: 2012-Nov-26

    Description
    The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.6 are affected.

    Solutions
    There are three ways to resolve or mitigate the issue:

    1. Disable Forgot Manager Login plugin
    2. Upgrade Forgot Manager Login to version 1.1.4
    3. Upgrade to MODX Evolution 1.0.7.

    NOTE
    A special thanks to community member Agel_Nash for reporting the full scope of this issue directly to MODX so a resolution could be made available before details were. [ed. note: opengeek last edited this post 1 year, 10 months ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.