We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 27708 MODX Staff
    • 2,502 Posts
    Product: MODX Evolution
    Risk: Very High
    Severity: Critical
    Versions: 1.0.7
    Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
    Report Date: 2013-Jan-4
    Fixed Date: 2013-Jan-8

    Description
    The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.7 (with ForgotManager plugin active) are affected.

    Solutions
    There are three ways to resolve or mitigate the issue:

    1. Disable Forgot Manager Login plugin
    2. Upgrade Forgot Manager Login to version 1.1.6
    3. Upgrade to MODX Evolution 1.0.8.

    NOTE
    A special thanks to community member Jako for reporting this issue directly to MODX so a resolution could be made available before details were.
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub
      • 28042 ☆ A M B ☆
      • 24,524 Posts
        Studying MODX in the desert - http://sottwell.com
        Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
        Join the Slack Community - http://modx.org

      This discussion is closed to further replies. Keep calm and carry on.