New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored XSS in MODX 2.5.7 System Settings module #13564
Comments
|
This would only be possible if you're logged in to the manager with correct permissions though wouldn't it? |
|
@lemon666 Please do not post security issues to the public tracker, instead responsibly disclose them to security@modx.com so a fix can be prepared before details are shared publicly. In this case, it's a rather harmless issue, as it requires the permission to edit settings before it can be exploited, but it appears that it's already in the NIST database before the security team was alerted properly. If it's a more serious vulnerability, that could cause panic when no patch is available but a CVE is going around on social media. |
|
@Mark-H Is this already fixed in some version? Could you link the commit IDs fixing this vulnerability, thanks. Bug item has been open for nearly a year now. Nothing found from ChangeLog with issue ID. |
|
I think this may be #13887 but reported by someone else a little earlier. Another good reason not to report these in a public tracker ;) |
Summary
I found two stored XSS in MODX 2.5.7 System Settings module.The "key" and "name" parameters in the following request are vulnerable to XSS vulnerability. This malicious payload will be trigerred by every user, when they visit this module.
Step to reproduce
Example request, which creates new setting with malicious $key and malicious $name:
Observed behavior
A small popup will come up.

Environment
MODX 2.5.7, apache 2.4.23, mysql 5.7.15, php 5.6.24.
The text was updated successfully, but these errors were encountered: