Remote Code Execution
The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.13 (with AjaxSearch installed) are affected.
There are two ways to resolve or mitigate the issue:
- Upgrade AjaxSearch to version 1.10.1
- Upgrade to MODX Evolution 1.0.14.
A special thanks to Semko Vitaliy
for identifying the vector and community member Thomas Jakobi
for the resolution.
[ed. note: smashingred last edited this post 5 years, 1 month ago.]