CVE-2019-1010178

Name of the Vulnerable Software and Affected Versions: Fred MODX Revolution versions prior to 1.0.0-beta5

Description: The issue is related to incorrect access control, allowing remote code execution. This can be achieved by uploading a PHP file or modifying data in the database. The vulnerable component is assets/components/fred/web/elfinder/connector.php.

Recommendations: For versions prior to 1.0.0-beta5, apply the fixes from the commits https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246 to resolve the issue. As a temporary workaround, consider restricting access to the connector.php file in the elFinder component to minimize the risk of exploitation.