PT-2022-17696 · Modx · Modx Revolution
Cyberinsane
·
Published
2022-02-26
·
Updated
2023-03-27
·
CVE-2022-26149
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
MODX Revolution versions 2.8.3-pl and earlier
Description
The issue allows remote authenticated administrators to execute arbitrary code by uploading an executable file. This is possible because the Uploadable File Types setting can be changed by an administrator, allowing for the upload of malicious files.
Recommendations
For MODX Revolution versions 2.8.3-pl and earlier, update to a version that fixes this issue. As a temporary workaround, consider restricting the Uploadable File Types setting to prevent administrators from uploading executable files. Additionally, restrict access to the file upload feature to minimize the risk of exploitation.
Exploit
Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Modx Revolution