<![CDATA[ Multiple Vulnerabilities XSS/Remote Command Injection - MODX Community Forums]]> https://forums.modx.com/thread/?thread=94952 <![CDATA[Multiple Vulnerabilities XSS/Remote Command Injection]]> https://forums.modx.com/thread/94952/multiple-vulnerabilities-xss-c#dis-post-514187 Product: MODX Evolution
Risk: High
Severity: Critical
Versions: <=1.0.14
Vulnerabilty Type: Multiple Vulnerabilities (XSS/Remote Command Execution)
Report Date: 2014-Oct-31
Fixed Date: 2014-Nov-6

Description
We have been informed of various critical issues in MODX Evolution (and 0.9.x). There is a Cross Site Scripting (XSS) issue in the commenting Extra, Jot, which comes included in the Evolution package. In addition there is a Command Injection vulnerability in one of the core system files.

Affected Releases
All MODX 0.9.x/Evolution releases prior to and including MODX Evolution 1.0.14 are affected.

Solutions
There are two possible ways to resolve or mitigate this issue:

  1. Upgrade to MODX Evolution 1.0.15 (recommended).
  2. If running 1.0.11 or later, update the jot.class.inc.php file and the cache_sync.class.processor.php

NOTE
A special thanks to Karthik Rangarajan of Addepar for identifying the vector and community member Thomas Jakobi for the resolution.]]>
smashingred Nov 06, 2014, 08:50 AM https://forums.modx.com/thread/94952/multiple-vulnerabilities-xss-c#dis-post-514187