VYPR
← All advisories
Moderate severityOSV Advisory· Published Feb 6, 2019· Updated Aug 5, 2024

CVE-2018-20757

CVE-2018-20757

Description

MODX Revolution through v2.7.0-pl allows XSS via an extended user field such as Container name or Attribute name.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MODX Revolution through v2.7.0-pl allows stored XSS via extended user fields like Container name or Attribute name.

Vulnerability

MODX Revolution through v2.7.0-pl contains a stored cross-site scripting (XSS) vulnerability in extended user fields such as Container name or Attribute name [1]. The _parseCustomData method in /core/model/modx/mgr/controllers/system/manage.class.php does not sanitize the $key variable before using it in the text field of a tree node, allowing injection of arbitrary HTML [4].

Exploitation

An attacker with the ability to set extended user fields (e.g., editing profile via the manager interface) can inject malicious JavaScript into the field. When an administrator or other user views the extended data in the manager tree, the injected script executes [1].

Impact

Successful exploitation leads to stored XSS, allowing attackers to execute arbitrary JavaScript in the context of the MODX manager. This can result in session theft, privilege escalation, or other malicious actions [1].

Mitigation

The vulnerability is fixed in commit 489b13c61673ea0b19124e18cf1f3e7673f8aa64 [4]. Users should upgrade to a version that includes this patch. As of the publication date, no official patched release is mentioned; users should apply the fix manually or wait for a version beyond v2.7.0-pl. No workaround is documented.

References
  1. Stored XSS: extended user fields
  2. Fix #14104 · modxcms/revolution@489b13c

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
modx/revolutionPackagist
< 2.7.1-pl2.7.1-pl

Affected products

2

Patches

1
489b13c61673

Fix #14104

https://github.com/modxcms/revolutionAgel_NashFeb 6, 2019via ghsa
commit
1 file changed · +2 2
  • manager/controllers/default/security/user/update.class.php+2 2 modified
    @@ -133,7 +133,7 @@ private function _parseCustomData(array $remoteData = array(),$path = '') {
             );
             if (is_array($value)) {
                 $field['iconCls'] = 'icon-folder';
-                $field['text'] = $key;
+                $field['text'] = htmlentities($key,ENT_QUOTES,$encoding);
                 $field['leaf'] = false;
                 $field['children'] = $this->_parseCustomData($value,$key);
             } else {
@@ -147,7 +147,7 @@ private function _parseCustomData(array $remoteData = array(),$path = '') {
                     $v = substr($v,0,30).'...';
                 }
                 $field['iconCls'] = 'icon-terminal';
-                $field['text'] = $key.' - <i>'.htmlentities($v,ENT_QUOTES,$encoding).'</i>';
+                $field['text'] = htmlentities($key,ENT_QUOTES,$encoding).' - <i>'.htmlentities($v,ENT_QUOTES,$encoding).'</i>';
                 $field['leaf'] = true;
                 $field['value'] = $value;
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.