Description

A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.

Remediation

References

CVE-2017-1000223

Related Vulnerabilities

WordPress Plugin Booking calendar, Appointment Booking System Multiple Vulnerabilities (2.1.7)

phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2016-5734)

WordPress Plugin Appointment Hour Booking-WordPress Booking Cross-Site Scripting (1.3.16)

Oracle Database Server CVE-2011-0792 Vulnerability (CVE-2011-0792)

WordPress Plugin Realia Security Bypass (1.4.0)

Severity

Medium

Classification

CVE-2017-1000223 CWE-707 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities