CVE-2014-8775

MODX Revolution <2.2.15 - Info Disclosure

Title source: llm

Description

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Exploits (1)

exploitdb WRITEUP

by Narendra Bhati · textwebappsphp

https://www.exploit-db.com/exploits/35159

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit x_refsource_misc

http://hacktivity.websecgeeks.com/modx-csrf-and-xss/

Various Sources x_refsource_confirm

http://forums.modx.com/thread/92152/critical-login-xss-csrf-revolution-2-2-1-4-and-prior

Scores

EPSS 0.1206

EPSS Percentile 93.8%

Details

CWE

CWE-200

Status published

Products (29)

modx/modx_revolution 2.0.0

modx/modx_revolution 2.0.1

modx/modx_revolution 2.0.3

modx/modx_revolution 2.0.4

modx/modx_revolution 2.0.5

modx/modx_revolution 2.0.6

modx/modx_revolution 2.0.7

modx/modx_revolution 2.0.8

modx/modx_revolution 2.1.0

modx/modx_revolution 2.1.1

... and 19 more

Published Dec 03, 2014

Tracked Since Feb 18, 2026