CVE-2017-1000223

{"id": "CVE-2017-1000223", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 3.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 6.8, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2017-11-17T05:29:00.390", "references": [{"url": "https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://raw.githubusercontent.com/modxcms/revolution/v2.5.7-pl/core/docs/changelog.txt", "tags": ["Release Notes", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored web content injection vulnerability (WCI, a.k.a XSS) is present in MODX Revolution CMS version 2.5.6 and earlier. An authenticated user with permissions to edit users can save malicious JavaScript as a User Group name and potentially take control over victims' accounts. This can lead to an escalation of privileges providing complete administrative control over the CMS."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de contenidos web (WCI) almacenada, tambi\u00e9n conocida como Cross-Site Scripting (XSS), est\u00e1 presente en MODX Revolution CMS en versiones 2.5.6 y anteriores. Un usuario autenticado con permisos para editar usuarios puede guardar c\u00f3digo JavaScript malicioso como un nombre de grupo de usuarios y podr\u00eda tomar el control de las cuentas de las v\u00edctimas. Esto puede conducir a un escalado de privilegios, concediendo el control administrativo completo sobre el sistema de gesti\u00f3n de contenidos."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:modx:modx_revolution:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0FF6AE40-778B-4441-8D9E-A5F7D059A9E3", "versionEndIncluding": "2.5.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}