MODX Revolution 2.x before 2.2.15 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism by (1) omitting the CSRF token or via a (2) long string in the CSRF token parameter.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P
Vendors Products
Modx
  • Modx Revolution

Configuration 1 [-]

OR cpe:2.3:a:modx:modx_revolution:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.7:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.12:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.13:*:*:*:*:*:*:*
cpe:2.3:a:modx:modx_revolution:2.2.14:*:*:*:*:*:*:*
References
Link Resource
http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior
http://hacktivity.websecgeeks.com/modx-csrf-and-xss/ Exploit
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2014-12-03T18:00:00

Updated: 2014-12-03T17:57:00

Reserved: 2014-11-13T00:00:00

Link: CVE-2014-8773

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2014-12-03T18:59:03.987

Modified: 2019-10-22T17:23:37.007

Link: CVE-2014-8773

JSON object: View

cve-icon Redhat Information

No data.

CWE