Cross-site scripting (XSS) vulnerability in the SearchHighlight plugin in MODx Evolution before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to AjaxSearch.
Vector
NETWORK
Complexity
MEDIUM
Authentication
NONE
Confidentiality
NONE
Integrity
PARTIAL
Availability
NONE
Modxcms Evolution 0.9.6.1 P1 (not an official CPE)
Modxcms Evolution 0.9.6 (not an official CPE)
Modxcms Evolution 0.9.1 (not an official CPE)
Modxcms Evolution 0.9.0 (not an official CPE)
Modxcms Evolution 0.9.6.1 (not an official CPE)
Modxcms Evolution 0.9.6.2 (not an official CPE)
Modxcms Evolution 0.9.2.1 (not an official CPE)
Modxcms Evolution 0.9.5 (not an official CPE)
Modxcms Evolution 1.0.2 (not an official CPE)
| Advisory | Patch | Confirmed | Link |
|---|---|---|---|
| modx-unspecified-xss(57635) | |||
| http://modxcms.com/forums/index.php/topic,47759.msg28030... | |||
| JVNDB-2010-000013 | |||
| JVN#46669729 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (ID 79)
Related CAPEC 16
Cross Site Scripting through Log Files (CAPEC-ID 106)
Embedding Scripts in Non-Script Elements (CAPEC-ID 18)
Embedding Scripts within Scripts (CAPEC-ID 19)
Cross-Site Scripting in Error Pages (CAPEC-ID 198)
Cross-Site Scripting Using Alternate Syntax (CAPEC-ID 199)
Cross-Site Scripting Using MIME Type Mismatch (CAPEC-ID 209)
Cross-Site Scripting in Attributes (CAPEC-ID 243)
Cross-Site Scripting via Encoded URI Schemes (CAPEC-ID 244)
Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript (CAPEC-ID 245)
Cross-Site Scripting Using Flash (CAPEC-ID 246)
Cross-Site Scripting with Masking through Invalid Characters in Identifiers (CAPEC-ID 247)
Embedding Scripts in HTTP Query Strings (CAPEC-ID 32)
Simple Script Injection (CAPEC-ID 63)
AJAX Fingerprinting (CAPEC-ID 85)
Embedding Script (XSS) in HTTP Headers (CAPEC-ID 86)
XSS in IMG Tags (CAPEC-ID 91)