First reported by Nikolay Lanets on November 7th with additional information received on November 12th/13th. Through specially crafted requests to core or third party connectors, it was possible to bypass checks for a valid token. This allowed unauthorized execution of certain core processors that had no other specific permission checks, but were intended for manager use only.
This vulnerability could be combined with other issues identified recently to allow further unauthorized access to the database.
Certain third party extras require unauthorized access to specific (third party) processors; for this purpose the MODX_REQP constant (set to false in their connector) can continue to be used.