<![CDATA[ MODX Evolution 1.0.6 (and prior) Unauthorized Manager Access - MODX Community Forums]]> https://forums.modx.com/thread/?thread=80701 <![CDATA[MODX Evolution 1.0.6 (and prior) Unauthorized Manager Access]]> https://forums.modx.com/thread/80701/modx-evolution-1-0-6-and-lower-unauthorized-manager-access#dis-post-444667 Product: MODX Evolution
Risk: Very High
Severity: Critical
Versions: 1.0.6 and all previous releases
Vulnerabilty Type: Permissions, Privileges, and Access Control; Input Validation; SQL Injection
Report Date: 2012-Nov-26
Fixed Date: 2012-Nov-26

Description
The Forgot Manager Login plugin distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows users to gain unauthorized access to the MODX Manager.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.6 are affected.

Solutions
There are three ways to resolve or mitigate the issue:

  1. Disable Forgot Manager Login plugin
  2. Upgrade Forgot Manager Login to version 1.1.4
  3. Upgrade to MODX Evolution 1.0.7.

NOTE
A special thanks to community member Agel_Nash for reporting the full scope of this issue directly to MODX so a resolution could be made available before details were.]]>
smashingred Nov 26, 2012, 03:33 PM https://forums.modx.com/thread/80701/modx-evolution-1-0-6-and-lower-unauthorized-manager-access#dis-post-444667