We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 27708 MODX Staff
    • 2,502 Posts
    Product: MODX Revolution
    Severity: Critical
    Versions: 2.0.0–2.2.14
    Vulnerability type: CSRF & XSS
    Report date: 2014-Jul-10
    Fixed date: 2014-Jul-15

    Description
    A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.

    Affected Releases
    All MODX Revolution releases prior to and including 2.2.14.

    Solution
    Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.

    Acknowledgement
    We would like to thank Narendra Bhati, of Suma Soft for bringing this issue to our attention.

    Additional Information
    For additional information, please use the MODX Contact Form
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.