1.0.6 and all previous releases
Permissions, Privileges, and Access Control; Input Validation; SQL Injection
The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.6 are affected.
There are three ways to resolve or mitigate the issue:
- Disable Forgot Manager Login plugin
- Upgrade Forgot Manager Login to version 1.1.4
- Upgrade to MODX Evolution 1.0.7.
A special thanks to community member Agel_Nash for reporting the full scope of this issue directly to MODX so a resolution could be made available before details were.
[ed. note: opengeek last edited this post 11 years ago.]