MODX Revolution CVE-2014-5451 Cross Site Scripting Vulnerability

Bugtraq ID:	69884
Class:	Input Validation Error
CVE:	CVE-2014-5451
Remote:	Yes
Local:	No
Published:	Sep 17 2014 12:00AM
Updated:	Sep 17 2014 12:00AM
Credit:	High-Tech Bridge Security Research Lab
Vulnerable:
Not Vulnerable:

MODX Revolution CVE-2014-5451 Cross Site Scripting Vulnerability

MODX Revolution is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

MODX Revolution 2.3.1-pl is vulnerable; other versions may also be affected.

MODX Revolution CVE-2014-5451 Cross Site Scripting Vulnerability

To exploit this issue, an attacker must entice an unsuspecting user to follow a malicious URI.

The following example URI is available:

http://www.example.com/manager/?a=%22%20onload=%22javascript:alert%28/immuniweb/%29;%22%3 E

MODX Revolution CVE-2014-5451 Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

MODX Revolution CVE-2014-5451 Cross Site Scripting Vulnerability

References: