Product: MODX Evolution
Risk: High
Severity: Critical
Versions: <=1.0.14
Vulnerabilty Type: Multiple Vulnerabilities (XSS/Remote Command Execution)
Report Date: 2014-Oct-31
Fixed Date: 2014-Nov-6
Description
We have been informed of various critical issues in MODX Evolution (and 0.9.x). There is a Cross Site Scripting (XSS) issue in the commenting Extra, Jot, which comes included in the Evolution package. In addition there is a Command Injection vulnerability in one of the core system files.
Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.14 are affected.
Solutions
There are two possible ways to resolve or mitigate this issue:
- Upgrade to MODX Evolution 1.0.15 (recommended).
- If running 1.0.11 or later, update the jot.class.inc.php file and the cache_sync.class.processor.php
NOTE
A special thanks to Karthik Rangarajan of
Addepar for identifying the vector and community member
Thomas Jakobi for the resolution.
[ed. note: smashingred last edited this post 9 years, 10 months ago.]