Multiple Vulnerabilities (XSS/Remote Command Execution)
We have been informed of various critical issues in MODX Evolution (and 0.9.x). There is a Cross Site Scripting (XSS) issue in the commenting Extra, Jot, which comes included in the Evolution package. In addition there is a Command Injection vulnerability in one of the core system files.
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.14 are affected.
There are two possible ways to resolve or mitigate this issue:
- Upgrade to MODX Evolution 1.0.15 (recommended).
- If running 1.0.11 or later, update the jot.class.inc.php file and the cache_sync.class.processor.php
A special thanks to Karthik Rangarajan of Addepar
for identifying the vector and community member Thomas Jakobi
for the resolution.
[ed. note: smashingred last edited this post 5 years, 9 months ago.]