CVE-2014-8775

MODX Revolution <2.2.15 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8775. PoCs published by Narendra Bhati.

AI-analyzed exploit summary This advisory details multiple vulnerabilities in MODX Revolution, including CSRF token bypass, reflected XSS via the 'context_key' parameter, and stored XSS via the 'context' parameter. The writeup provides exploitation examples but does not include functional exploit code.

Description

MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Exploits (1)

exploitdb WRITEUP
by Narendra Bhati · textwebappsphp
https://www.exploit-db.com/exploits/35159

This advisory details multiple vulnerabilities in MODX Revolution, including CSRF token bypass, reflected XSS via the 'context_key' parameter, and stored XSS via the 'context' parameter. The writeup provides exploitation examples but does not include functional exploit code.

Classification
Writeup 100%
Attack Type
Xss | Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: MODX Revolution 2.0.0-2.2.14
No auth needed
Prerequisites: Victim interaction for reflected XSS · Authenticated session for stored XSS
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0276
EPSS Percentile 84.3%

Details

CWE
CWE-200
Status published
Products (29)
modx/modx_revolution 2.0.0
modx/modx_revolution 2.0.1
modx/modx_revolution 2.0.3
modx/modx_revolution 2.0.4
modx/modx_revolution 2.0.5
modx/modx_revolution 2.0.6
modx/modx_revolution 2.0.7
modx/modx_revolution 2.0.8
modx/modx_revolution 2.1.0
modx/modx_revolution 2.1.1
... and 19 more
Published Dec 03, 2014
Tracked Since Feb 18, 2026