CVE-2025-28010

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in MODX CMS versions prior to 3.1.0. The root cause is insufficient sanitization of SVG files uploaded as profile images. SVG files can contain embedded JavaScript, and the application does not validate or filter the content before storing and serving them [1][2].

Exploitation

An authenticated user can upload a specially crafted SVG file containing malicious JavaScript code as their profile image. When other users view the attacker's profile or any page that displays the profile image, the embedded script executes in their browser. No additional privileges are required beyond a valid user account [2].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to theft of session tokens, sensitive data exposure, and unauthorized actions performed on behalf of the victim. The attack can potentially be escalated to more severe attacks through initial script execution [1][2].

Mitigation

The vulnerability is fixed in MODX version 3.1.0 and later. Users are advised to upgrade to the latest version. No workaround is documented, but administrators should restrict SVG uploads or implement additional content security policies until an upgrade can be applied [1][2].