O:9:"MagpieRSS":21:{s:6:"parser";i:0;s:12:"current_item";a:0:{}s:5:"items";a:2:{i:0;a:10:{s:5:"title";s:52:"Critical Login XSS+CSRF Revolution 2.2.1.4 and Prior";s:4:"link";s:104:"http://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:11:"description";s:1633:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> 2.0.0–2.2.14<br />
<strong>Vulnerability type:</strong> CSRF &amp; XSS<br />
<strong>Report date:</strong> 2014-Jul-10<br />
<strong>Fixed date:</strong> 2014-Jul-15<br />
<br />
<strong>Description</strong> <br />
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user&#039;s CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.<br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.2.14.<br />
<br />
<strong>Solution</strong><br />
Upgrade to <a href="http://modx.com/download/release/revolution-2.2.15-pl" target="_blank" rel="nofollow">MODX Revolution 2.2.15</a>. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Narendra Bhati, of <a href="http://www.sumasoft.com" target="_blank" rel="nofollow">Suma Soft</a> for bringing this issue to our attention.<br />
<br />
<strong>Additional Information</strong><br />
For additional information, please use the <a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">MODX Contact Form</a>";s:6:"author";s:0:"";s:8:"category";s:0:"";s:8:"comments";s:104:"http://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"pubdate";s:31:"Tue, 15 Jul 2014 01:29:03 -0500";s:4:"guid";s:104:"http://forums.modx.com/thread/92129/critical-login-xss-csrf-revolution-2-2-1-4-and-prior#dis-post-503208";s:7:"summary";s:1633:"<strong>Product:</strong> MODX Revolution<br />
<strong>Severity:</strong> Critical<br />
<strong>Versions:</strong> 2.0.0–2.2.14<br />
<strong>Vulnerability type:</strong> CSRF &amp; XSS<br />
<strong>Report date:</strong> 2014-Jul-10<br />
<strong>Fixed date:</strong> 2014-Jul-15<br />
<br />
<strong>Description</strong> <br />
A significant vulnerability was discovered in the Manager login of MODX Revolution that also affects the use of the Login Extra. A malicious user could formulate a link that automatically logs the user into their own account, then redirects the user to a site the attacker controls immediately, exposing the user&#039;s CSRF token. This can be exploited with or without getting the user to enter their credentials in the form.<br />
<br />
<strong>Affected Releases</strong><br />
All MODX Revolution releases prior to and including 2.2.14.<br />
<br />
<strong>Solution</strong><br />
Upgrade to <a href="http://modx.com/download/release/revolution-2.2.15-pl" target="_blank" rel="nofollow">MODX Revolution 2.2.15</a>. Due to the nature of this issue and the number of files requiring changes the solution is to upgrade. No installable patch or fileset is available for prior versions.<br />
<br />
<strong>Acknowledgement</strong><br />
We would like to thank Narendra Bhati, of <a href="http://www.sumasoft.com" target="_blank" rel="nofollow">Suma Soft</a> for bringing this issue to our attention.<br />
<br />
<strong>Additional Information</strong><br />
For additional information, please use the <a href="http://modx.com/company/contact/" target="_blank" rel="nofollow">MODX Contact Form</a>";s:14:"date_timestamp";i:1405405743;}i:1;a:10:{s:5:"title";s:33:"Revolution Security Announcements";s:4:"link";s:85:"http://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:11:"description";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by <a href="http://forums.modx.com/board.xml?board=294" target="_blank" rel="nofollow">RSS</a> or to our <a href="http://eepurl.com/WIa5v" target="_blank" rel="nofollow">MODX Security Bulletin email</a>.";s:6:"author";s:0:"";s:8:"category";s:0:"";s:8:"comments";s:85:"http://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"pubdate";s:31:"Tue, 01 Jul 2014 07:09:27 -0500";s:4:"guid";s:85:"http://forums.modx.com/thread/91864/revolution-security-announcements#dis-post-501935";s:7:"summary";s:369:"This is the MODX Revolution Security board. This is the central location where announcements related to security issues and resolutions are posted. You can subscribe by <a href="http://forums.modx.com/board.xml?board=294" target="_blank" rel="nofollow">RSS</a> or to our <a href="http://eepurl.com/WIa5v" target="_blank" rel="nofollow">MODX Security Bulletin email</a>.";s:14:"date_timestamp";i:1404216567;}}s:7:"channel";a:4:{s:5:"title";s:43:"Revolution Security - MODX Community Forums";s:4:"link";s:39:"http://forums.modx.com/board/?board=294";s:11:"description";s:34:"RSS Feed for MODX Community Forums";s:7:"tagline";s:34:"RSS Feed for MODX Community Forums";}s:9:"textinput";a:0:{}s:5:"image";a:0:{}s:9:"feed_type";s:3:"RSS";s:12:"feed_version";s:3:"2.0";s:8:"encoding";s:5:"UTF-8";s:16:"_source_encoding";s:0:"";s:5:"ERROR";s:0:"";s:7:"WARNING";s:0:"";s:19:"_CONTENT_CONSTRUCTS";a:6:{i:0;s:7:"content";i:1;s:7:"summary";i:2;s:4:"info";i:3;s:5:"title";i:4;s:7:"tagline";i:5;s:9:"copyright";}s:16:"_KNOWN_ENCODINGS";a:3:{i:0;s:5:"UTF-8";i:1;s:8:"US-ASCII";i:2;s:10:"ISO-8859-1";}s:5:"stack";a:0:{}s:9:"inchannel";b:0;s:6:"initem";b:0;s:9:"incontent";b:0;s:11:"intextinput";b:0;s:7:"inimage";b:0;s:17:"current_namespace";b:0;}