CVE-2017-9067

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

Published: May 18, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-9067
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.4
AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
modx / modx_revolution	2.5.6	2.5.6.x
php / php	5.3.3	5.3.3.x

https://citadelo.com/en/2017/04/modx-revolution-cms/
https://github.com/modxcms/revolution/pull/13422
https://github.com/modxcms/revolution/pull/13428

Vulnerability Database

290,020

CVE-2017-9067