Description
setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier does not properly constrain the language parameter, which allows remote attackers to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value.
Remediation
References
Related Vulnerabilities
WordPress Plugin Abandoned Cart Recovery for WooCommerce Cross-Site Request Forgery (1.0.4)
Drupal Core 8.9.x Information Disclosure (8.9.0 - 8.9.5)
WordPress Plugin Kraken.io Image Optimizer Cross-Site Request Forgery (2.6.5)
WordPress Plugin WP Idea Stream Cross-Site Scripting (2.1.1)
WordPress Plugin Dialog Contact Form Cross-Site Scripting (1.2.0)