High severity7.0NVD Advisory· Published May 18, 2017· Updated May 13, 2026

CVE-2017-9067

Description

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
modx/revolutionPackagist	< 2.5.7	2.5.7

Affected products

Modx/Revolution
cpe:2.3:a:modx:modx_revolution:2.5.6:*:*:*:*:*:*:*
PHP/PHP
cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

citadelo.com/en/2017/04/modx-revolution-cms/nvdExploitThird Party Advisory
github.com/advisories/GHSA-cgrv-6h2h-6f7vghsaADVISORY
github.com/modxcms/revolution/pull/13422nvdThird Party AdvisoryWEB
github.com/modxcms/revolution/pull/13428nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-9067ghsaADVISORY
citadelo.com/en/2017/04/modx-revolution-cmsghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000