Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-1010178

Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246.

Published

2019-07-24T14:15:10.877

Last Modified

2024-11-21T04:18:01.530

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-648
Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes
Application	modx	fred	1.0.0	Yes

References

https://www.youtube.com/watch?v=vOlw2DP9WbE Exploit, Third Party Advisory ([email protected])
https://www.youtube.com/watch?v=vOlw2DP9WbE Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)