Vulnerability Name: | CVE-2017-9067 (CCN-126248) | ||||||||||||
Assigned: | 2017-04-26 | ||||||||||||
Published: | 2017-04-26 | ||||||||||||
Updated: | 2017-05-31 | ||||||||||||
Summary: | In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal. | ||||||||||||
CVSS v3 Severity: | 7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-22 | ||||||||||||
Vulnerability Consequences: | Gain Access | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2017-9067 Source: CCN Type: CITADELO Web site MODX Revolution CMS 2.5.6 Multiple Vulnerabilities Source: MISC Type: Exploit, Third Party Advisory https://citadelo.com/en/2017/04/modx-revolution-cms/ Source: XF Type: UNKNOWN modx-cve20179067-file-include(126248) Source: CCN Type: MODX Revolution CMS GIT Repository [SECURITY-20] Fix local file inclusion vulnerability in setup action parameter #13422 Source: MISC Type: Third Party Advisory https://github.com/modxcms/revolution/pull/13422 Source: CCN Type: MODX Revolution CMS GIT Repository [SECURITY-20] Improve local file inclusion protections #13428 Source: MISC Type: Third Party Advisory https://github.com/modxcms/revolution/pull/13428 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: Denotes that component is vulnerable | ||||||||||||
BACK |