GHSA-hm54-fg2w-2g6j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-hm54-fg2w-2g6j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-hm54-fg2w-2g6j/GHSA-hm54-fg2w-2g6j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-hm54-fg2w-2g6j
- Aliases
-
- CVE-2025-28010
- Published
- 2025-03-13T18:32:21Z
- Modified
- 2025-03-19T15:58:53.213386Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator
- Summary
- MODX allows cross-site scripting (XSS) via an SVG file
- Details
-
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
- Database specific
{ "nvd_published_at": "2025-03-13T16:15:27Z", "cwe_ids": [ "CWE-79" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-03-13T19:55:06Z" }- References
Affected packages
Packagist / modx/revolution
Package
- Name
- modx/revolution
- Purl
- pkg:composer/modx/revolution
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected3.1.0
Affected versions
v2.*
v2.7.0-pl
v2.7.1-pl
v2.7.2-pl
v2.7.3-pl
v2.8.0-pl
v2.8.1-pl
v2.8.2-pl
v2.8.3-pl
v2.8.4-pl
v2.8.5-pl
v2.8.6-pl
v2.8.7-pl
v2.8.8-pl
v3.*
v3.0.0-alpha1
v3.0.0-alpha2
v3.0.0-alpha3
v3.0.0-beta1
v3.0.0-beta2
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-pl
v3.0.1-pl
v3.0.2-pl
v3.0.3-pl
v3.0.4-pl
v3.0.5-pl
v3.0.6-pl