⚠️ Urgent! Active Attacks on MODX Revolution Sites Below Revolution 2.6.5
Subscribe: RSS
  • Product: MODX Evolution
    Risk: High
    Severity: Critical
    Versions: <=1.0.14
    Vulnerabilty Type: Multiple Vulnerabilities (XSS/Remote Command Execution)
    Report Date: 2014-Oct-31
    Fixed Date: 2014-Nov-6

    Description
    We have been informed of various critical issues in MODX Evolution (and 0.9.x). There is a Cross Site Scripting (XSS) issue in the commenting Extra, Jot, which comes included in the Evolution package. In addition there is a Command Injection vulnerability in one of the core system files.

    Affected Releases
    All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.14 are affected.

    Solutions
    There are two possible ways to resolve or mitigate this issue:

    1. Upgrade to MODX Evolution 1.0.15 (recommended).
    2. If running 1.0.11 or later, update the jot.class.inc.php file and the cache_sync.class.processor.php

    NOTE
    A special thanks to Karthik Rangarajan of Addepar for identifying the vector and community member Thomas Jakobi for the resolution. [ed. note: smashingred last edited this post 4 years, 1 month ago.]
      Author of zero books. Formerly of many strange things. Pairs well with meats. Conversations are magical experiences. He's dangerous around code but a markup magician. BlogTwitterLinkedInGitHub

    This discussion is closed to further replies. Keep calm and carry on.