Published: 03/12/2014 Updated: 22/10/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 505

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

MODX Revolution 2.x prior to 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote malicious users to obtain potentially sensitive information via script access to this cookie.

Vulnerable Product	Search on Vulmon	Subscribe to Product
modx modx revolution 2.1.3
modx modx revolution 2.1.4
modx modx revolution 2.1.5
modx modx revolution 2.2.0
modx modx revolution 2.2.8
modx modx revolution 2.2.9
modx modx revolution 2.0.0
modx modx revolution 2.0.7
modx modx revolution 2.1.0
modx modx revolution 2.1.2
modx modx revolution 2.2.1
modx modx revolution 2.2.11
modx modx revolution 2.2.5
modx modx revolution 2.2.7
modx modx revolution 2.0.1
modx modx revolution 2.0.8
modx modx revolution 2.1.1
modx modx revolution 2.2.10
modx modx revolution 2.2.12
modx modx revolution 2.2.4
modx modx revolution 2.2.6
modx modx revolution 2.0.3
modx modx revolution 2.0.4
modx modx revolution 2.0.5
modx modx revolution 2.0.6
modx modx revolution 2.2.13
modx modx revolution 2.2.14
modx modx revolution 2.2.2
modx modx revolution 2.2.3

Advisory ID: 92152 Product: MODX Revolution Vendor: MODX Vulnerable Version(s): 2002214 Tested Version: 2214 Advisory Publication: 16 July, 2014 [without technical details] Vendor Notification: 16 July, 2014 Vendor Patch: 15 July, 2014 Public Disclosure: 2 November , 2014 Vulnerability Type: CSRF Tokens Bypass + Reflected Cross Site S ...

CWE-200 http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior http://hacktivity.websecgeeks.com/modx-csrf-and-xss/https://nvd.nist.gov https://www.exploit-db.com/exploits/35159/

CVE-2014-8775

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect