Description

A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.

Remediation

References

CVE-2017-1000223

Related Vulnerabilities

Joomla! Core Security Bypass (2.5.0 - 3.9.16)

ownCloud Improper Privilege Management Vulnerability (CVE-2021-35946)

Drupal Core 5.x Multiple Security Bypass Vulnerabilities (5.0 - 5.10)

Ruby Integer Overflow or Wraparound Vulnerability (CVE-2008-2663)

Oracle Database Server CVE-2018-2939 Vulnerability (CVE-2018-2939)

Severity

Medium

Classification

CVE-2017-1000223 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities