CVE-2018-20758
Description
MODX Revolution through v2.7.0-pl allows XSS via User Settings such as Description.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MODX Revolution through v2.7.0-pl has a stored XSS in User Settings via the Description field, allowing arbitrary script execution.
Vulnerability
MODX Revolution through version v2.7.0-pl contains a stored cross-site scripting (XSS) vulnerability in the User Settings feature [1]. The issue lies in the MODx.grid.SettingsGrid widget, specifically in the RowExpander template where the {description_trans} value was rendered without HTML encoding [4]. This allows an authenticated user with permission to edit User Settings to inject arbitrary JavaScript into the Description field [3].
Exploitation
An attacker must have an authenticated session and the ability to edit User Settings (typically a manager or administrator role) [3]. The attacker sets the Description field of a User Setting to a malicious payload such as ``. When any user (including other administrators) views the grid of settings and expands a row to see the description, the payload executes in their browser, as the output is not sanitized [1][4].
Impact
Successful exploitation results in stored XSS, compromising the confidentiality and integrity of the victim's browser session. The attacker can steal session cookies, perform administrative actions on behalf of the victim, deface the interface, or redirect to malicious sites [1]. The scope includes all users who view the affected User Settings grid, making it a significant security risk within the administration panel.
Mitigation
The fix was committed in commit c08fb7c7a1f5979ff1241a7b28ae0f7690756ad3 [4], which added the :htmlEncode template filter to the description_trans variable [4]. Upgrading to a version after v2.7.0-pl that includes this commit resolves the vulnerability. No workaround is documented; installing the patched version is the recommended course of action [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modx/revolutionPackagist | < 2.7.1-pl | 2.7.1-pl |
Affected products
2- Range: v2.0.1-pl, v2.0.3-pl, v2.0.4-pl, …
Patches
11 file changed · +2 −2
manager/assets/modext/widgets/core/modx.grid.settings.js+2 −2 modified@@ -2,7 +2,7 @@ MODx.grid.SettingsGrid = function(config) { config = config || {}; this.exp = new Ext.grid.RowExpander({ tpl : new Ext.Template( - '<p class="desc">{description_trans}</p>' + '<p class="desc">{description_trans:htmlEncode}</p>' ) }); @@ -646,4 +646,4 @@ MODx.window.UpdateSetting = function(config) { MODx.window.UpdateSetting.superclass.constructor.call(this,config); }; Ext.extend(MODx.window.UpdateSetting,MODx.Window); -Ext.reg('modx-window-setting-update',MODx.window.UpdateSetting); \ No newline at end of file +Ext.reg('modx-window-setting-update',MODx.window.UpdateSetting);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-vwqw-wfhv-2xcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20758ghsaADVISORY
- github.com/modxcms/revolution/commit/c08fb7c7a1f5979ff1241a7b28ae0f7690756ad3ghsaWEB
- github.com/modxcms/revolution/issues/14103ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.