CVE-2017-1000223
CVSS V2 Low 3.5
CVSS V3 Medium 5.4
Description
A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS.
Overview
- CVE ID
- CVE-2017-1000223
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2017-11-17T05:29:00
- Last Modified Date
- 2017-12-01T15:08:02
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:modx:modx_revolution:*:*:*:*:*:*:*:* | 1 | OR | 2.5.6 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:M/Au:S/C:N/I:P/A:N
- Access Vector
- NETWORK
- Access Compatibility
- MEDIUM
- Authentication
- SINGLE
- Confidentiality Impact
- NONE
- Integrity Impact
- PARTIAL
- Availability Impact
- NONE
- Base Score
- 3.5
- Severity
- LOW
- Exploitability Score
- 6.8
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.0
- Vector String
- CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- LOW
- User Interaction
- REQUIRED
- Scope
- CHANGED
- Confidentiality Impact
- LOW
- Availability Impact
- NONE
- Base Score
- 5.4
- Base Severity
- MEDIUM
- Exploitability Score
- 2.3
- Impact Score
- 2.7
References
| Reference URL | Reference Tags |
|---|---|
| https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt | Release Notes Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2017-1000223 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000223 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 08:10:09 | Added to TrackCVE | |||
| 2022-12-02 23:13:25 | 2017-11-17T05:29Z | 2017-11-17T05:29:00 | CVE Published Date | updated |
| 2022-12-02 23:13:25 | 2017-12-01T15:08:02 | CVE Modified Date | updated | |
| 2022-12-02 23:13:25 | Analyzed | Vulnerability Status | updated |