| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201411031821.sA3ILS1s006092@sf01web2.securityfocus.com> Date: Mon, 3 Nov 2014 18:21:28 GMT From: bhati.contact@...il.com To: bugtraq@...urityfocus.com Subject: Modx CMS CSRF Bypass & XSS Vulnerabilities Public Disclosure - http://hacktivity.websecgeeks.com/modx-csrf-and-xss/ =========================================== Product: MODX Revolution Severity: Critical Versions: 2.0.0–2.2.14 Vulnerability type: CSRF & XSS Report date: 2014-Jul-10 Fixed date: 2014-Jul-15 Description A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user's CSRF token. This can be exploited with or without getting the user to enter their credentials in the form. Affected Releases All MODX Revolution releases prior to and including 2.2.14. Solution Upgrade to MODX Revolution 2.2.15. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.
Powered by blists - more mailing lists