Published:2011/01/26  Last Updated:2011/05/20

JVN#54092716
MODx Evolution vulnerable to SQL injection

Overview

MODx Evolution contains a SQL injection vulnerability.

Products Affected

  • MODx Evolution 1.0.4 and earlier

Description

MODx provided by the MODx CMS Project is a Content Management System (CMS) software. MODx Evolution contains SQL injection vulnerability.

Impact

A remote attacker may execute arbitrary PHP code as a result of SQL injection.

Solution

Update the software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
The MODx CMS Project MODX Evolution 1.0.5 Tightens Security and Lots of Little Improvements
Get the latest MODx releases

References

  1. IPA
    Security Alert for Vulnerability in MODx Evolution

JPCERT/CC Addendum


Vulnerability Analysis by JPCERT/CC

Analyzed on 2011.01.26

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2010-3929
JVN iPedia JVNDB-2011-000008

Update History

2011/05/20
Information under the sections "References" were modified.