CVE-2017-9067 — MODX Revolution Directory Traversal Vulnerability

Description

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

How to fix CVE-2017-9067

To remediate CVE-2017-9067, upgrade the affected package to a fixed version below.

Packagist/modx/revolution—upgrade to 2.5.7 or later

Is CVE-2017-9067 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.5.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-9067
PATCHgithub.com/modxcms/revolution
WEBcitadelo.com/en/2017/04/modx-revolution-cms
WEBgithub.com/modxcms/revolution/pull/13422
WEBgithub.com