Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in MODx Evolution

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in MODx Evolution

Published: Jan 26, 2011
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning security vulnerability in MODx Evolution on January 26, 2011.
This vulnerability allows an attacker to manipulate the database. To fix this vulnerability, update the software to the fixed version provided by the product developer.

1.Overview

MODx Evolution is content management system (CMS) software used to create the websites developed by the MODx CMS Project. MODx Evolution is vulnerable to SQL Injection due to a flaw in the database processing. If exploited, the vulnerability could allow an attacker to manipulate the database.

Get the fixed version at the following URL and update the software.:
http://modxcms.com/download/
http://modx.jp/download/download_evo.html (Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000008

The vulnerability was reported to IPA in line with the Information Security Early Warning Partnership and released on January 26, 2011, after JPCERT Coordination Center (JPCERT/CC) made adjustments with the product developer.

2.Impact

An attacker could manipulate the MODx Evolution database.

Security Alert for Vulnerability in Ichitaro Series

3.Solution

To fix this vulnerability, update the software to the fixed version provided by the product developer.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
Medium
(4.0~6.9)
■ High
(7.0~10.0)
CVSS base score  
7.5

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High □ Medium ■ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "SQL Injection (CWE-89)".

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: