VYPR
← All advisories
Moderate severityOSV Advisory· Published Feb 6, 2019· Updated Aug 5, 2024

CVE-2018-20755

CVE-2018-20755

Description

MODX Revolution through v2.7.0-pl allows XSS via the User Photo field.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MODX Revolution through v2.7.0-pl is vulnerable to stored XSS via the User Photo field, allowing arbitrary script execution.

Vulnerability

MODX Revolution through v2.7.0-pl is vulnerable to stored cross-site scripting (XSS) in the User Photo field. The application fails to sanitize user-supplied input in this field, allowing an attacker with user creation or editing privileges to inject arbitrary HTML or JavaScript. This affects all versions up to and including v2.7.0-pl [1][4].

Exploitation

An attacker with access to create or edit a user (e.g., via the "Create New User" page in the manager) can enter a malicious payload such as " onerror="alert(1) into the User Photo field. This input is stored in the database without sanitization. When the user profile or user list is subsequently viewed, the payload executes in the context of the administrator's session [4].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the browser of any user viewing the affected user record. This can result in session hijacking, defacement, data theft, or other malicious actions performed with the victim's privileges [1][4].

Mitigation

The vulnerability was addressed in pull request #14335, which fixes multiple XSS issues in the manager [3]. It is recommended to upgrade to a patched version released after v2.7.0-pl [1]. No official workaround is documented, but restricting access to user management can reduce risk [3].

References
  1. NVD - CVE-2018-20755
  2. Fixes bunch of various XSS issues in the manager by AgelxNash · Pull Request #14335 · modxcms/revolution
  3. Stored XSS: User Photo

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modx/revolutionPackagist
< 2.7.1-pl2.7.1-pl

Affected products

2

Patches

1
a12920f1698d

Fix #14102

https://github.com/modxcms/revolutionAgel_NashFeb 6, 2019via ghsa
commit
1 file changed · +1 1
  • core/model/modx/moduser.class.php+1 1 modified
    @@ -907,7 +907,7 @@ public function getProfilePhoto($width = 128, $height = 128) {
         $path = $source->prepareSrcForThumb($this->Profile->photo);
 
         return $this->xpdo->getOption('connectors_url', null, MODX_CONNECTORS_URL)
-            . "system/phpthumb.php?zc=1&h={$height}&w={$width}&src={$path}";
+            . "system/phpthumb.php?" . http_build_query(array("zc" => 1, "h" => $height, "w" => $width, "src" => $path));
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.