O:9:"MagpieRSS":22:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:4:{i:0;a:8:{s:5:"title";s:80:"Revolution 2.6.4 and Prior Two Cricital Vulnerabilities; Upgrade Mandatory/Patch";s:4:"link";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:11:"description";s:2441:"Product: MODX Revolution
Severity: Critical
Versions: <=2.6.4
Vulnerability type(s): Remote Execution / File/Directory Deletion
Report date: 2018-Jul-11
Fixed date: 2018-Jul-12
Description
On July 11 we received notice that there are two critical vulnerabilities that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories.
Affected Releases
All MODX Revolution releases prior to and including 2.6.4
Solutions
- Upgrade to MODX Revolution 2.6.5 or above.
- If you're on 2.6.4 you can replace the changed files included in the commits: here (can be manually updated on versions back to 2.3.0) and here (can be updated on versions back to 2.5.2). Please note, replacing files in other versions of MODX Revolution could lead to unintended consequences. It is always preferred to upgrade.
Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.
Acknowledgement
We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution.
Additional Information
For additional information, please email MODX Support.";s:8:"comments";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:7:"pubdate";s:31:"Thu, 12 Jul 2018 02:40:19 +0000";s:4:"guid";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:7:"summary";s:2441:"Product: MODX Revolution
Severity: Critical
Versions: <=2.6.4
Vulnerability type(s): Remote Execution / File/Directory Deletion
Report date: 2018-Jul-11
Fixed date: 2018-Jul-12
Description
On July 11 we received notice that there are two critical vulnerabilities that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories.
Affected Releases
All MODX Revolution releases prior to and including 2.6.4
Solutions
- Upgrade to MODX Revolution 2.6.5 or above.
- If you're on 2.6.4 you can replace the changed files included in the commits: here (can be manually updated on versions back to 2.3.0) and here (can be updated on versions back to 2.5.2). Please note, replacing files in other versions of MODX Revolution could lead to unintended consequences. It is always preferred to upgrade.
Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.
Acknowledgement
We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution.
Additional Information
For additional information, please email MODX Support.";s:14:"date_timestamp";i:1531363219;}i:1;a:8:{s:5:"title";s:50:"Revolution 2.5.1 and Prior Multiple Vulnerabilites";s:4:"link";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:11:"description";s:2434:"Product: MODX Revolution
Severity: Moderate
Versions: <=2.5.1
Vulnerability type: Directory Traversal / SQL Injection
Report date: 2016-Nov-4
Fixed date: 2016-Nov-14
Description
We received notice that there are several vulnerabilities that include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site.
Affected Releases
All MODX Revolution releases prior to and including 2.5.1
Solutions
- Upgrade to MODX Revolution 2.5.2 or above.
- Patch available for versions 2.3.3-2.5.2 thanks to Sterc. Versions below 2.3.3 must upgrade.
Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.
Acknowledgement
We would like to thank [url=modxclub.ru]Nikolay Lanetshttp://modx.com/company/contact/]MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution.
Additional Information
For additional information, please use the [url=http://modx.com/company/contact/]MODX Contact Form";s:8:"comments";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:7:"pubdate";s:31:"Wed, 07 Dec 2016 08:53:04 +0000";s:4:"guid";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:7:"summary";s:2434:"Product: MODX Revolution
Severity: Moderate
Versions: <=2.5.1
Vulnerability type: Directory Traversal / SQL Injection
Report date: 2016-Nov-4
Fixed date: 2016-Nov-14
Description
We received notice that there are several vulnerabilities that include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site.
Affected Releases
All MODX Revolution releases prior to and including 2.5.1
Solutions
- Upgrade to MODX Revolution 2.5.2 or above.
- Patch available for versions 2.3.3-2.5.2 thanks to Sterc. Versions below 2.3.3 must upgrade.
Support
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the MODX Forums, find a MODX Professional or get help from the MODX Services team.
Acknowledgement
We would like to thank [url=modxclub.ru]Nikolay Lanetshttp://modx.com/company/contact/]MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution.
Additional Information
For additional information, please use the [url=http://modx.com/company/contact/]MODX Contact Form";s:14:"date_timestamp";i:1481100784;}i:2;a:8:{s:5:"title";s:52:"Critical Login XSS+CSRF Revolution 2.2.1.4 and Prior";s:4:"link";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:11:"description";s:1633:"Product: MODX Revolution
Severity: Critical
Versions: 2.0.0–2.2.14
Vulnerability type: CSRF & XSS
Report date: 2014-Jul-10
Fixed date: 2014-Jul-15
Description
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.
Affected Releases
All MODX Revolution releases prior to and including 2.2.14.
Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.
Acknowledgement
We would like to thank Narendra Bhati, of Suma Soft for bringing this issue to our attention.
Additional Information
For additional information, please use the MODX Contact Form";s:8:"comments";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"pubdate";s:31:"Tue, 15 Jul 2014 01:29:03 +0000";s:4:"guid";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"summary";s:1633:"Product: MODX Revolution
Severity: Critical
Versions: 2.0.0–2.2.14
Vulnerability type: CSRF & XSS
Report date: 2014-Jul-10
Fixed date: 2014-Jul-15
Description
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.
Affected Releases
All MODX Revolution releases prior to and including 2.2.14.
Solution
Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.
Acknowledgement
We would like to thank Narendra Bhati, of Suma Soft for bringing this issue to our attention.
Additional Information
For additional information, please use the MODX Contact Form";s:14:"date_timestamp";i:1405387743;}i:3;a:8:{s:5:"title";s:33:"Revolution Security Announcements";s:4:"link";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:11:"description";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by RSS or to our MODX Security Bulletin email.";s:8:"comments";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"pubdate";s:31:"Tue, 01 Jul 2014 07:09:27 +0000";s:4:"guid";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"summary";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by RSS or to our MODX Security Bulletin email.";s:14:"date_timestamp";i:1404198567;}}s:7:"channel";a:4:{s:5:"title";s:43:"Revolution Security - MODX Community Forums";s:4:"link";s:40:"https://forums.modx.com/board/?board=294";s:11:"description";s:34:"RSS Feed for MODX Community Forums";s:7:"tagline";s:34:"RSS Feed for MODX Community Forums";}s:9:"textinput";a:0:{}s:5:"image";a:0:{}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:8:"encoding";s:5:"UTF-8";s:16:"_source_encoding";s:0:"";s:5:"ERROR";s:0:"";s:7:"WARNING";s:0:"";s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}s:16:"_KNOWN_ENCODINGS";a:3:{i:0;s:5:"UTF-8";i:1;s:8:"US-ASCII";i:2;s:10:"ISO-8859-1";}s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:17:"current_namespace";b:0;s:15:"source_encoding";s:5:"UTF-8";}