New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XXE Vulnerability #15237
Comments
|
The email is security@modx.com. I'm not sure about that form (will get that checked), but publicly posting vulnerability details rather than asking somewhere on how to privately disclose if the first avenue doesn't work is... a little disappointing. |
|
The security report form seems to work as expected, test email sent and arrived. |
|
It seems to me that @dahua966 is talking about the page that is listed in the template for "Report a security vulnerability" on github. There is a page listed - https://modx.com/community/contribute/report-a-security-issue and it doesn't work. |
|
@jaygilmore / @rthrash can you get the old URL https://modx.com/community/contribute/report-a-security-issue to redirect to the new form at https://modx.com/about/security-reports? @Ruslan-Aleev Where are you seeing that URL on? I'm only seeing a reference to security@modx.com in the CONTRIBUTING.md. |
|
@Mark-H In the file https://github.com/modxcms/revolution/security/policy, you can go to it when creating a security issue. |
|
Ah, there it is. Fixed, thanks. |
…e libxml entity loader [modxcms#15237]
…e libxml entity loader [modxcms#15237] The libxml_disable_entity_loader function is deprecated in PHP8, and the entity loader is automatically enabled on v2.9.0+ of libxml which may have been used pre-PHP8 as well. PHP8 comes with at least v2.9.0+ of libxml bundled, so this conditional covers both scenarios. Ref: php/php-src#5867
Merge remote-tracking branch 'origin/pr/15238' into 2.x * origin/pr/15238: Prevent potential XXE vulnerability in modRestService by disabling the libxml entity loader [#15237]

snipped
The text was updated successfully, but these errors were encountered: