setup/controllers/language.php in MODX Revolution 2.5.4-pl and previous versions does not properly constrain the language parameter, which allows remote malicious users to conduct Cookie-Bombing attacks and cause a denial of service (cookie quota exhaustion), or conduct HTTP Response Splitting attacks with resultant XSS, via an invalid parameter value.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
modx modx revolution |