CVE-2017-1000223
Last modified
CVE-2017-1000223 is a vulnerability of currently unknown severity. A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. EPSS estimates a 0.50% chance of exploitation in the next 30 days.
Description
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Modx | Modx Revolution | <= 2.5.6 |
References
- https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txtRelease Notes, Third Party Advisory
- https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txtRelease Notes, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-1000223?
How severe is CVE-2017-1000223?
How do I fix CVE-2017-1000223?
Are you affected by CVE-2017-1000223?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST