CVE-2019-1010178

Published: Jul 24, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access Control - CWE-648. The impact is: Remote Code Execution. The component is: assets/components/fred/web/elfinder/connector.php. The attack vector is: Uploading a PHP file or change data in the database. The fixed version is: https://github.com/modxcms/fred/commit/139cefac83b2ead90da23187d92739dec79d3ccd and https://github.com/modxcms/fred/commit/01f0a3d1ae7f3970639c2a0db1887beba0065246.

Affected (7)

Products: Modx: Fred

Modx

1 product

Fred

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Modx Fred	Version 1.0.0
Modx Fred	Version 1.0.0 beta2
Modx Fred	Version 1.0.0 beta4
Modx Fred	Version 1.0.0 pl
Modx Fred	Version 1.0.0 rc1
Modx Fred	Version 1.0.0 rc2
Modx Fred	Version 1.0.0 rc

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-648

Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References (2)

https://www.youtube.com/watch?v=vOlw2DP9WbE

Source: josh@bress.net

ExploitThird Party Advisory

https://www.youtube.com/watch?v=vOlw2DP9WbE

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.