Description
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2012-5086 Vulnerability (CVE-2012-5086)
WordPress Plugin Customer Reviews for WooCommerce Multiple Vulnerabilities (5.3.5)
PostgreSQL Improper Input Validation Vulnerability (CVE-2012-3489)
WordPress Plugin SP Project & Document Manager Unspecified Vulnerability (2.5.7.3)
Contao Weak Password Recovery Mechanism for Forgotten Password Vulnerability (CVE-2019-10641)