Subscribe: RSS
  • Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: <=1.0.13
    Vulnerabilty Type: Remote Code Execution
    Report Date: 2014-May-29
    Fixed Date: 2014-June-5

    Description
    The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.

    Solutions
    There are two ways to resolve or mitigate the issue:

    1. Upgrade AjaxSearch to version 1.10.1
    2. Upgrade to MODX Evolution 1.0.14.

    NOTE
    A special thanks to Semko Vitaliy for identifying the vector and community member Thomas Jakobi for the resolution. [ed. note: smashingred last edited this post 1 year ago.]
    • You will need to do both 1 and 2 or 3. Just deleting the index-ajax.php still leaves the AjaxSearch vulnerable to attack.
        - matdave

      This discussion is closed to further replies. Keep calm and carry on.