Subscribe: RSS
  • Product: MODX Revolution
    Severity: Critical
    Versions: 2.0.0–2.2.13
    Vulnerability type: SQL Injection
    Report date: 2014-Mar-10
    Fixed date: 2014-Apr-04

    Description
    Multiple vulnerabilities were discovered in MODX Revolution that allow users to inject and manipulate the database. This includes an issue exploitable through the session ID supplied by the user and is exploitable without authentication. Another issue relates to messaging and connectors for authenticated users.

    Affected Releases
    All MODX Revolution releases prior to and including 2.2.13.

    Solution
    Upgrade to MODX Revolution 2.2.14. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

    Acknowledgement
    We would like to thank Craig Arendt, of Stratum Security for bringing this issue to our attention.

    Additional Information
    For additional information, please use the MODX Contact Form [ed. note: smashingred last edited this post 4 months, 3 weeks ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.