Reflected XSS in findcore.php

[modxbot]

smashingred created Redmine issue ID 10287

Per [SOJOBO-ADV-13-02]

Note: This issue requires the /setup directory to be intact and web accessible.

Follow a trace to reach the vulnerable code.

File: \setup\templates\findcore.php 80:

The variable '$_SERVER['PHP_SELF']' is considered a tainted input and can be manipulated in order to insert valid HTML code.

A test request is: /setup/templates/findcore.php/">

[opengeek]

opengeek submitted:

Addressed for 2.3 in https://github.com/modxcms/revolution/commit/0fcf9cd97a2bcff20d4f4f66abd43350f9e33e42