O:9:"MagpieRSS":21:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:4:{i:0;a:8:{s:5:"title";s:80:"Revolution 2.6.4 and Prior Two Cricital Vulnerabilities; Upgrade Mandatory/Patch";s:4:"link";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:11:"description";s:2441:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> &lt;=2.6.4<br />
<strong>Vulnerability type(s):</strong> Remote Execution / File/Directory Deletion<br />
<strong>Report date:</strong> 2018-Jul-11<br />
<strong>Fixed date:</strong> 2018-Jul-12<br />
<br />
<strong>Description</strong> <br />
On July 11 we received notice that <strong>there are two critical vulnerabilities</strong> that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories.  <br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.6.4<br />
<br />
<strong>Solutions</strong><br />
<ol class="dis-ol"><li>Upgrade to <a href="https://modx.com/download" target="_blank" rel="nofollow">MODX Revolution 2.6.5</a> or above. </li>
<li>If you&#039;re on 2.6.4 you can replace the changed files included in the commits:  <a href="https://github.com/modxcms/revolution/commit/606dc0f1635de4b699d1151616af75e5c08d4cdd" target="_blank" rel="nofollow">here (can be manually updated on versions back to 2.3.0)</a> and <a href="https://github.com/modxcms/revolution/commit/3fc50383c81b51e7718c9f29f9cef23dfadfa7fb" target="_blank" rel="nofollow">here (can be updated on versions back to 2.5.2)</a>. Please note, replacing files in other versions of MODX Revolution could  lead to unintended consequences. It is always preferred to upgrade.</li>
</ol>
<br />
<strong>Support</strong><br />
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the <a href="https://forums.modx.com/" target="_blank" rel="nofollow">MODX Forums</a>, find a <a href="https://modx.com/professionals" target="_blank" rel="nofollow">MODX Professional</a> or get help from the <a href="https://modx.com/services/#engage" target="_blank" rel="nofollow">MODX Services team</a>.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution. <br />
<br />
<strong>Additional Information</strong><br />
For additional information, please email <a href="mailto:help@modx.com" target="_blank" rel="nofollow">MODX Support</a>.";s:8:"comments";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:7:"pubdate";s:31:"Thu, 12 Jul 2018 02:40:19 +0000";s:4:"guid";s:133:"https://forums.modx.com/thread/104040/revolution-2-6-4-and-prior-two-cricital-vulnerabilities-upgrade-mandatory-patch#dis-post-559515";s:7:"summary";s:2441:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> &lt;=2.6.4<br />
<strong>Vulnerability type(s):</strong> Remote Execution / File/Directory Deletion<br />
<strong>Report date:</strong> 2018-Jul-11<br />
<strong>Fixed date:</strong> 2018-Jul-12<br />
<br />
<strong>Description</strong> <br />
On July 11 we received notice that <strong>there are two critical vulnerabilities</strong> that include remote script execution and file/directory removal. These issues are critical in nature. It is possible for attackers to compromise the website or deface or delete files or directories.  <br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.6.4<br />
<br />
<strong>Solutions</strong><br />
<ol class="dis-ol"><li>Upgrade to <a href="https://modx.com/download" target="_blank" rel="nofollow">MODX Revolution 2.6.5</a> or above. </li>
<li>If you&#039;re on 2.6.4 you can replace the changed files included in the commits:  <a href="https://github.com/modxcms/revolution/commit/606dc0f1635de4b699d1151616af75e5c08d4cdd" target="_blank" rel="nofollow">here (can be manually updated on versions back to 2.3.0)</a> and <a href="https://github.com/modxcms/revolution/commit/3fc50383c81b51e7718c9f29f9cef23dfadfa7fb" target="_blank" rel="nofollow">here (can be updated on versions back to 2.5.2)</a>. Please note, replacing files in other versions of MODX Revolution could  lead to unintended consequences. It is always preferred to upgrade.</li>
</ol>
<br />
<strong>Support</strong><br />
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the <a href="https://forums.modx.com/" target="_blank" rel="nofollow">MODX Forums</a>, find a <a href="https://modx.com/professionals" target="_blank" rel="nofollow">MODX Professional</a> or get help from the <a href="https://modx.com/services/#engage" target="_blank" rel="nofollow">MODX Services team</a>.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Ivan Klimchuk (Alroniks) and agel_nash for bringing these issues to our attention and verifying their resolution. <br />
<br />
<strong>Additional Information</strong><br />
For additional information, please email <a href="mailto:help@modx.com" target="_blank" rel="nofollow">MODX Support</a>.";s:14:"date_timestamp";i:1531363219;}i:1;a:8:{s:5:"title";s:50:"Revolution 2.5.1 and Prior Multiple Vulnerabilites";s:4:"link";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:11:"description";s:2434:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Moderate<br />
<strong>Versions:</strong> &lt;=2.5.1<br />
<strong>Vulnerability type:</strong> Directory Traversal / SQL Injection<br />
<strong>Report date:</strong> 2016-Nov-4<br />
<strong>Fixed date:</strong> 2016-Nov-14<br />
<br />
<strong>Description</strong> <br />
We received notice that there are several vulnerabilities that include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site. <br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.5.1<br />
<br />
<strong>Solutions</strong><br />
<ol class="dis-ol"><li>Upgrade to <a href="https://modx.com/download" target="_blank" rel="nofollow">MODX Revolution 2.5.2</a> or above. </li>
<li><a href="https://www.sterc.nl/en/modx/modx-2.5.2-security-patch" target="_blank" rel="nofollow">Patch available for versions 2.3.3-2.5.2</a> thanks to Sterc. Versions below 2.3.3 must upgrade.</li>
</ol>
<br />
<strong>Support</strong><br />
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the <a href="https://forums.modx.com/" target="_blank" rel="nofollow">MODX Forums</a>, find a <a href="https://modx.com/professionals" target="_blank" rel="nofollow">MODX Professional</a> or get help from the <a href="https://modx.com/services/#engage" target="_blank" rel="nofollow">MODX Services team</a>.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank &#91;url=modxclub.ru&#93;Nikolay Lanets<a href=" and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. <br />
<br />
Additional Information<br />
For additional information, please use the &#91;url=<a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">http://modx.com/company/contact/</a>&#93;MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. <br />
<br />
Additional Information<br />
For additional information, please use the &#91;url=<a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">http://modx.com/company/contact/</a>&#93;MODX Contact Form</a>";s:8:"comments";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:7:"pubdate";s:31:"Wed, 07 Dec 2016 08:53:04 +0000";s:4:"guid";s:104:"https://forums.modx.com/thread/101393/revolution-2-5-1-and-prior-multiple-vulnerabilites#dis-post-547024";s:7:"summary";s:2434:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Moderate<br />
<strong>Versions:</strong> &lt;=2.5.1<br />
<strong>Vulnerability type:</strong> Directory Traversal / SQL Injection<br />
<strong>Report date:</strong> 2016-Nov-4<br />
<strong>Fixed date:</strong> 2016-Nov-14<br />
<br />
<strong>Description</strong> <br />
We received notice that there are several vulnerabilities that include a SQL injection and directory traversal. These issues on their own are not critical in nature, however, it could be possible for determined attackers to combine vectors to compromise a site. <br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.5.1<br />
<br />
<strong>Solutions</strong><br />
<ol class="dis-ol"><li>Upgrade to <a href="https://modx.com/download" target="_blank" rel="nofollow">MODX Revolution 2.5.2</a> or above. </li>
<li><a href="https://www.sterc.nl/en/modx/modx-2.5.2-security-patch" target="_blank" rel="nofollow">Patch available for versions 2.3.3-2.5.2</a> thanks to Sterc. Versions below 2.3.3 must upgrade.</li>
</ol>
<br />
<strong>Support</strong><br />
If you do not know how to upgrade your site there are several support options available. You can contact the developer or builder of your site, ask for help in the <a href="https://forums.modx.com/" target="_blank" rel="nofollow">MODX Forums</a>, find a <a href="https://modx.com/professionals" target="_blank" rel="nofollow">MODX Professional</a> or get help from the <a href="https://modx.com/services/#engage" target="_blank" rel="nofollow">MODX Services team</a>.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank &#91;url=modxclub.ru&#93;Nikolay Lanets<a href=" and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. <br />
<br />
Additional Information<br />
For additional information, please use the &#91;url=<a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">http://modx.com/company/contact/</a>&#93;MODX Contact Form" target="_blank" rel="nofollow"> and Chen Ruiqi from for bringing these issues to our attention and verifying their resolution. <br />
<br />
Additional Information<br />
For additional information, please use the &#91;url=<a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">http://modx.com/company/contact/</a>&#93;MODX Contact Form</a>";s:14:"date_timestamp";i:1481100784;}i:2;a:8:{s:5:"title";s:52:"Critical Login XSS+CSRF Revolution 2.2.1.4 and Prior";s:4:"link";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:11:"description";s:1633:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> 2.0.0–2.2.14<br />
<strong>Vulnerability type:</strong> CSRF &amp; XSS<br />
<strong>Report date:</strong> 2014-Jul-10<br />
<strong>Fixed date:</strong> 2014-Jul-15<br />
<br />
<strong>Description</strong> <br />
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user&#039;s CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.<br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.2.14.<br />
<br />
<strong>Solution</strong><br />
Upgrade to <a href="http://modx.com/download/release/revolution-2.2.15-pl" target="_blank" rel="nofollow">MODX Revolution 2.2.15</a>. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Narendra Bhati, of <a href="http://www.sumasoft.com" target="_blank" rel="nofollow">Suma Soft</a> for bringing this issue to our attention.<br />
<br />
<strong>Additional Information</strong><br />
For additional information, please use the <a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">MODX Contact Form</a>";s:8:"comments";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"pubdate";s:31:"Tue, 15 Jul 2014 01:29:03 +0000";s:4:"guid";s:105:"https://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"summary";s:1633:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> 2.0.0–2.2.14<br />
<strong>Vulnerability type:</strong> CSRF &amp; XSS<br />
<strong>Report date:</strong> 2014-Jul-10<br />
<strong>Fixed date:</strong> 2014-Jul-15<br />
<br />
<strong>Description</strong> <br />
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user&#039;s CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.<br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.2.14.<br />
<br />
<strong>Solution</strong><br />
Upgrade to <a href="http://modx.com/download/release/revolution-2.2.15-pl" target="_blank" rel="nofollow">MODX Revolution 2.2.15</a>. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Narendra Bhati, of <a href="http://www.sumasoft.com" target="_blank" rel="nofollow">Suma Soft</a> for bringing this issue to our attention.<br />
<br />
<strong>Additional Information</strong><br />
For additional information, please use the <a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">MODX Contact Form</a>";s:14:"date_timestamp";i:1405387743;}i:3;a:8:{s:5:"title";s:33:"Revolution Security Announcements";s:4:"link";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:11:"description";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by <a href="http://forums.modx.com/board.xml?board=294" target="_blank" rel="nofollow">RSS</a> or to our <a href="http://eepurl.com/WIa5v" target="_blank" rel="nofollow">MODX Security Bulletin email</a>.";s:8:"comments";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"pubdate";s:31:"Tue, 01 Jul 2014 07:09:27 +0000";s:4:"guid";s:86:"https://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"summary";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by <a href="http://forums.modx.com/board.xml?board=294" target="_blank" rel="nofollow">RSS</a> or to our <a href="http://eepurl.com/WIa5v" target="_blank" rel="nofollow">MODX Security Bulletin email</a>.";s:14:"date_timestamp";i:1404198567;}}s:7:"channel";a:4:{s:5:"title";s:43:"Revolution Security - MODX Community Forums";s:4:"link";s:40:"https://forums.modx.com/board/?board=294";s:11:"description";s:34:"RSS Feed for MODX Community Forums";s:7:"tagline";s:34:"RSS Feed for MODX Community Forums";}s:9:"textinput";a:0:{}s:5:"image";a:0:{}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:8:"encoding";s:5:"UTF-8";s:16:"_source_encoding";s:0:"";s:5:"ERROR";s:0:"";s:7:"WARNING";s:0:"";s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}s:16:"_KNOWN_ENCODINGS";a:3:{i:0;s:5:"UTF-8";i:1;s:8:"US-ASCII";i:2;s:10:"ISO-8859-1";}s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:17:"current_namespace";b:0;}