Every CVE whose affected-product data names Modx Modx Revolution, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (36)
CVE-2017-7321 — CVSS 9.8 (critical): setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the…
CVE-2017-7324 — CVSS 9.8 (critical): setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the…
CVE-2020-25911 — CVSS 9.1 (critical): A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an…
CVE-2017-9069 — CVSS 8.8 (high): In MODX Revolution before 2.5.7, a user with file upload permissions is able to execute arbitrary code by uploading a file with the name…
CVE-2017-7323 — CVSS 8.1 (high): The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier use http://rest.modx.com by default, which…
CVE-2017-7322 — CVSS 8.1 (high): The (1) update and (2) package-installation features in MODX Revolution 2.5.4-pl and earlier do not verify X.509 certificates from SSL…
CVE-2014-2736 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in MODX Revolution before 2.2.14 allow remote attackers to execute arbitrary SQL commands via the…
CVE-2019-1010123 — CVSS 7.5 (high): MODX Revolution Gallery 1.7.0 is affected by: CWE-434: Unrestricted Upload of File with Dangerous Type. The impact is: Creating file with…
CVE-2018-1000208 — CVSS 7.5 (high): MODX Revolution version <=2.6.4 contains a Directory Traversal vulnerability in /core/model/modx/modmanagerrequest.class.php that can…
CVE-2014-2311 — CVSS 7.5 (high): SQL injection vulnerability in modx.class.php in MODX Revolution 2.0.0 before 2.2.13 allows remote attackers to execute arbitrary SQL…
CVE-2016-10037 — CVSS 7.3 (high): Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file…
CVE-2016-10038 — CVSS 7.3 (high): Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file…
CVE-2016-10039 — CVSS 7.3 (high): Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file…
CVE-2018-1000207 — CVSS 7.2 (high): MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into…
CVE-2017-9067 — CVSS 7.0 (high): In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due…
CVE-2014-8773 — CVSS 6.8 (medium): MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1)…
CVE-2018-20756 — CVSS 6.1 (medium): MODX Revolution through v2.7.0-pl allows XSS via a document resource (such as pagetitle), which is mishandled during an Update action, a…
CVE-2018-20757 — CVSS 6.1 (medium): MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name.
CVE-2017-11744 — CVSS 6.1 (medium): In MODX Revolution 2.5.7, the "key" and "name" parameters in the System Settings module are vulnerable to XSS. A malicious payload sent to…
CVE-2017-9068 — CVSS 6.1 (medium): In MODX Revolution before 2.5.7, an attacker is able to trigger Reflected XSS by injecting payloads into several fields on the setup page…
CVE-2015-6588 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in login-fsp.html in MODX Revolution before 1.9.1 allows remote attackers to inject arbitrary web…
CVE-2017-7320 — CVSS 6.1 (medium): setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows…
CVE-2017-1000223 — CVSS 5.4 (medium): A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated…
CVE-2017-9070 — CVSS 5.4 (medium): In MODX Revolution before 2.5.7, a user with resource edit permissions can inject an XSS payload into the title of any post via the…
CVE-2017-8115 — CVSS 5.3 (medium): Directory traversal in setup/processors/url_search.php (aka the search page of an unused processor) in MODX Revolution 2.5.7 might allow…
CVE-2014-8775 — CVSS 5.0 (medium): MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier…
CVE-2017-9071 — CVSS 4.7 (medium): In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request…
CVE-2014-8774 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in manager/index.php in MODX Revolution 2.x before 2.2.15 allows remote attackers to inject…
CVE-2014-2080 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in ModX Revolution before 2.2.11 allows remote attackers…
CVE-2010-5278 — CVSS 4.3 (medium): Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when…
CVE-2014-8992 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote…
CVE-2014-5451 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in manager/templates/default/header.tpl in MODX Revolution 2.3.1-pl and earlier allows remote…