Product: MODX Revolution
Severity: Extremely Critical
Vulnerability type: SQL Injection
Report date: 2014-Mar-5
Fixed date: 2014-Mar-6
A vulnerability was discovered in MODX Revolution that allows users to inject and manipulate the database. Attackers could exploit this to alter or destroy data in the database.
All MODX Revolution releases prior to and including 2.2.12.
- Upgrade to MODX Revolution 2.2.13
- To quickly patch 2.2.12 before a complete upgrade you can replace the modx.class.php from 2.2.13 via: https://raw.github.com/modxcms/revolution/v2.2.13-pl/core/model/modx/modx.class.php
- For releases between 2.2.6 and 2.2.11 inclusive, you can replace the modx.class.php with the one from the relevant 'pl2' tag in the MODX Revolution repository. E.g. for v2.2.10-pl it would be https://raw.github.com/modxcms/revolution/v2.2.10-pl2/core/model/modx/modx.class.php".
- For releases prior to 2.2.6, please contact MODX Support for assistance patching your version, or to get help with an upgrade to 2.2.13
Special Note for MODX Cloud Users
If your sites are on MODX Cloud, we've taken steps to protect all sites from this issue, as always we recommend you upgrade to 2.2.13 at your earliest convenience.
We would like to thank MODX community member, Mark Ernst, for bringing this issue to our attention.
For additional information, please use the MODX Contact Form