CVE-2016-10039

Name of the Vulnerable Software and Affected Versions MODX Revolution versions prior to 2.5.2-pl

Description The issue allows remote attackers to perform local file inclusion, traversal, and manipulation via a crafted dir parameter in the /connectors/index.php file. This is related to the browser/directory/getfiles functionality.

Recommendations For MODX Revolution versions prior to 2.5.2-pl, update to version 2.5.2-pl or later to resolve the issue. As a temporary workaround, consider restricting access to the /connectors/index.php file or disabling the getfiles functionality in the browser/directory module until a patch is applied. Avoid using the dir parameter in the affected API endpoint until the issue is resolved.