CVE-2018-1000207 - OpenCVE

MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Modx	Modx Revolution

Configuration 1 [-]

cpe:2.3:a:modx:modx_revolution:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/a2u/CVE-2018-1000207	Broken Link Third Party Advisory
https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68	Patch Third Party Advisory
https://github.com/modxcms/revolution/pull/13979	Exploit Third Party Advisory
https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-07-13T18:00:00

Updated: 2018-07-16T19:57:01

Reserved: 2018-07-09T00:00:00

Link: CVE-2018-1000207

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-07-13T18:29:00.270

Modified: 2019-10-03T00:03:26.223

Link: CVE-2018-1000207

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-07-10T00:00:00", "datePublic": "2018-07-09T00:00:00", "descriptions": [{"lang": "en", "value": "MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-16T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modxcms/revolution/pull/13979"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/a2u/CVE-2018-1000207"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-07-10T20:50:24.882222", "DATE_REQUESTED": "2018-07-09T16:32:07", "ID": "CVE-2018-1000207", "REQUESTER": "security@agel-nash.ru", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4", "refsource": "MISC", "url": "https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4"}, {"name": "https://github.com/modxcms/revolution/pull/13979", "refsource": "CONFIRM", "url": "https://github.com/modxcms/revolution/pull/13979"}, {"name": "https://github.com/a2u/CVE-2018-1000207", "refsource": "MISC", "url": "https://github.com/a2u/CVE-2018-1000207"}, {"name": "https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68", "refsource": "CONFIRM", "url": "https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000207", "datePublished": "2018-07-13T18:00:00", "dateReserved": "2018-07-09T00:00:00", "dateUpdated": "2018-07-16T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:modx:modx_revolution:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF008510-C712-4018-9E0B-022CFA929190", "versionEndIncluding": "2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "MODX Revolution version <=2.6.4 contains a Incorrect Access Control vulnerability in Filtering user parameters before passing them into phpthumb class that can result in Creating file with custom a filename and content. This attack appear to be exploitable via Web request. This vulnerability appears to have been fixed in commit 06bc94257408f6a575de20ddb955aca505ef6e68."}, {"lang": "es", "value": "MODX Revolution en versiones iguales o anteriores a la 2.6.4 contiene una vulnerabilidad de control de acceso incorrecto en el filtrado de par\u00e1metros user antes de pasarlos a la clase phpthumb, lo que puede resultar en la creaci\u00f3n de un archivo con un nombre de archivo y un contenido personalizados. Parece ser que este ataque puede ser explotado mediante una petici\u00f3n web. La vulnerabilidad parece haber sido solucionada en el commit con ID 06bc94257408f6a575de20ddb955aca505ef6e68."}], "id": "CVE-2018-1000207", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-13T18:29:00.270", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link", "Third Party Advisory"], "url": "https://github.com/a2u/CVE-2018-1000207"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/modxcms/revolution/commit/06bc94257408f6a575de20ddb955aca505ef6e68"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/modxcms/revolution/pull/13979"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}