CVE-2020-25911
Description
A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XML External Entity (XXE) vulnerability in MODX CMS 2.7.3 modRestServiceRequest component allows information disclosure or denial of service.
Vulnerability
A XML External Entity (XXE) vulnerability exists in the modRestServiceRequest component of MODX CMS 2.7.3. The component processes incoming XML requests without disabling external entity loading, allowing an attacker to exploit the XML parser's default behavior of resolving external entities [1][3].
Exploitation
An attacker can send a crafted HTTP request to the modRestServiceRequest endpoint with a malicious XML payload containing external entity references. No authentication is required. The attack can be performed by including an external entity DTD that points to a local file or to a resource that causes excessive CPU/memory consumption [1].
Impact
Successful exploitation leads to information disclosure by reading arbitrary files from the server (e.g., configuration files with credentials) or denial of service through resource exhaustion or infinite entity expansion [1].
Mitigation
The vulnerability is fixed by commit in pull request #15238 [4]. The fix introduces a configuration option xmlDisableEntityLoader and uses libxml_disable_entity_loader() when loading XML in _collectRequestParameters(). Users should upgrade to a version of MODX Revolution that includes this commit (later than 2.7.3). If upgrading is not possible, a workaround is to ensure that the modRestServiceRequest endpoint is not exposed to untrusted sources [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modx/revolutionPackagist | < 2.8.0 | 2.8.0 |
Affected products
3- MODX/CMSdescription
- osv-coords2 versions
>= 2.7.3, <= 2.7.3+ 1 more
- (no CPE)range: >= 2.7.3, <= 2.7.3
- (no CPE)range: < 2.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vhfp-9wvj-gwvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-25911ghsaADVISORY
- github.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.mdghsax_refsource_MISCWEB
- github.com/modxcms/revolution/issues/15237ghsax_refsource_MISCWEB
- github.com/modxcms/revolution/pull/15238ghsaWEB
- github.com/modxcms/revolution/pull/15238/commits/1b7ffe02df30f05dbf67dd15e4d8101687c1585aghsaWEB
News mentions
0No linked articles in our index yet.