Search criteria
7 vulnerabilities found for MODX by MODX
FKIE_CVE-2025-28010
Vulnerability from fkie_nvd - Published: 2025-03-13 16:15 - Updated: 2025-04-03 16:42
Severity ?
Summary
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/rtnthakur/CVE/blob/main/MODX/README.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:modx:modx:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7CE7BC48-9EB6-4B96-867E-C353863B4834",
"versionEndIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims\u0027 browsers when viewing the profile image."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad de Cross Site Scripting (XSS) en MODX anterior a la versi\u00f3n 3.1.0. Esta vulnerabilidad permite a los usuarios autenticados subir archivos SVG con c\u00f3digo JavaScript malicioso como im\u00e1genes de perfil, que se ejecutan en los navegadores de las v\u00edctimas al visualizar la imagen de perfil."
}
],
"id": "CVE-2025-28010",
"lastModified": "2025-04-03T16:42:46.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-13T16:15:27.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/rtnthakur/CVE/blob/main/MODX/README.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-28010 (GCVE-0-2025-28010)
Vulnerability from cvelistv5 – Published: 2025-03-13 00:00 – Updated: 2025-03-19 14:53
VLAI?
Summary
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T14:52:17.433731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:53:43.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims\u0027 browsers when viewing the profile image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T16:02:28.022Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/rtnthakur/CVE/blob/main/MODX/README.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28010",
"datePublished": "2025-03-13T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-03-19T14:53:43.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-28010 (GCVE-0-2025-28010)
Vulnerability from nvd – Published: 2025-03-13 00:00 – Updated: 2025-03-19 14:53
VLAI?
Summary
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-28010",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T14:52:17.433731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T14:53:43.217Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims\u0027 browsers when viewing the profile image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T16:02:28.022Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/rtnthakur/CVE/blob/main/MODX/README.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-28010",
"datePublished": "2025-03-13T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-03-19T14:53:43.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
JVNDB-2009-000004
Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54Summary
MODx cross-site request forgery vulnerability
Details
MODx, an open source contents management system, contains a cross-site request forgery vulnerability.
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | |
|---|---|---|
|
|
||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000004.html",
"dc:date": "2009-01-09T15:54+09:00",
"dcterms:issued": "2009-01-09T15:54+09:00",
"dcterms:modified": "2009-01-09T15:54+09:00",
"description": "MODx, an open source contents management system, contains a cross-site request forgery vulnerability.\r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000004.html",
"sec:cpe": {
"#text": "cpe:/a:modx:modxcms",
"@product": "MODX",
"@vendor": "MODX",
"@version": "2.2"
},
"sec:cvss": {
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000004",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN66828183/index.html",
"@id": "JVN#66828183",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5941",
"@id": "CVE-2008-5941",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5941",
"@id": "CVE-2008-5941",
"@source": "NVD"
},
{
"#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000004.html",
"@id": "JVNDB-2009-000004",
"@source": "JVNDB_Ja"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-352",
"@title": "Cross-Site Request Forgery(CWE-352)"
}
],
"title": "MODx cross-site request forgery vulnerability"
}
JVNDB-2009-000005
Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54Summary
MODx vulnerable to SQL injection
Details
MODx, an open source contents management system, contains a SQL injection vulnerability.
MODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel.
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000005.html",
"dc:date": "2009-01-09T15:54+09:00",
"dcterms:issued": "2009-01-09T15:54+09:00",
"dcterms:modified": "2009-01-09T15:54+09:00",
"description": "MODx, an open source contents management system, contains a SQL injection vulnerability.\r\n\r\nMODx, an open source contents management system, contains a SQL injection vulnerability in the MODx Control Panel.\r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000005.html",
"sec:cpe": {
"#text": "cpe:/a:modx:modxcms",
"@product": "MODX",
"@vendor": "MODX",
"@version": "2.2"
},
"sec:cvss": {
"@score": "5.1",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000005",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN72630020/index.html",
"@id": "JVN#72630020",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5940",
"@id": "CVE-2008-5940",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5940",
"@id": "CVE-2008-5940",
"@source": "NVD"
},
{
"#text": "http://secunia.com/advisories/33405",
"@id": "SA33405",
"@source": "SECUNIA"
},
{
"#text": "http://www.securityfocus.com/bid/33182",
"@id": "33182",
"@source": "BID"
},
{
"#text": "http://xforce.iss.net/xforce/xfdb/47840",
"@id": "47840",
"@source": "XF"
},
{
"#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000005.html",
"@id": "JVNDB-2009-000005",
"@source": "JVNDB_Ja"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-89",
"@title": "SQL Injection(CWE-89)"
}
],
"title": "MODx vulnerable to SQL injection"
}
JVNDB-2009-000003
Vulnerability from jvndb - Published: 2009-01-09 15:54 - Updated:2009-01-09 15:54Summary
MODx cross-site scripting vulnerability
Details
MODx, an open source contents management system, contains a cross-site scripting vulnerability.
MODx, an open source contents management system, contains multiple cross-site scripting vulnerabilities.
Gaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
| Type | URL | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000003.html",
"dc:date": "2009-01-09T15:54+09:00",
"dcterms:issued": "2009-01-09T15:54+09:00",
"dcterms:modified": "2009-01-09T15:54+09:00",
"description": "MODx, an open source contents management system, contains a cross-site scripting vulnerability. \r\n\r\nMODx, an open source contents management system, contains multiple cross-site scripting vulnerabilities. \r\n\r\nGaku Mochizuki of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000003.html",
"sec:cpe": {
"#text": "cpe:/a:modx:modxcms",
"@product": "MODX",
"@vendor": "MODX",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000003",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN10170564/index.html",
"@id": "JVN#10170564",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5942",
"@id": "CVE-2008-5942",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5942",
"@id": "CVE-2008-5942",
"@source": "NVD"
},
{
"#text": "http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000003.html",
"@id": "JVNDB-2009-000003",
"@source": "JVNDB_Ja"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-79",
"@title": "Cross-site Scripting(CWE-79)"
}
],
"title": "MODx cross-site scripting vulnerability"
}
JVNDB-2007-000094
Vulnerability from jvndb - Published: 2008-05-21 00:00 - Updated:2008-05-21 00:00Summary
MODx cross-site scripting vulnerability
Details
MODxl, an open source content management system, contains a cross-site scripting vulnerability.
References
| Type | URL | |
|---|---|---|
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000094.html",
"dc:date": "2008-05-21T00:00+09:00",
"dcterms:issued": "2008-05-21T00:00+09:00",
"dcterms:modified": "2008-05-21T00:00+09:00",
"description": "MODxl, an open source content management system, contains a cross-site scripting vulnerability.",
"link": "https://jvndb.jvn.jp/en/contents/2007/JVNDB-2007-000094.html",
"sec:cpe": {
"#text": "cpe:/a:modx:modxcms",
"@product": "MODX",
"@vendor": "MODX",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2007-000094",
"sec:references": {
"#text": "http://jvn.jp/en/jp/JVN80271113/index.html",
"@id": "JVN#80271113",
"@source": "JVN"
},
"title": "MODx cross-site scripting vulnerability"
}