CVE-2020-25911 — XML External Entity vulnerability in MODX CMS

Description

A XML External Entity (XXE) vulnerability was discovered in the modRestServiceRequest component in MODX CMS 2.7.3 which can lead to an information disclosure or denial of service (DOS).

How to fix CVE-2020-25911

To remediate CVE-2020-25911, upgrade the affected package to a fixed version below.

Bitnami/modx—no fix listed
—upgrade to 2.8.0 or later

Is CVE-2020-25911 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 2.7.3, <= 2.7.3
from 0, < 2.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25911
PATCHgithub.com/modxcms/revolution
WEBgithub.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.md
WEBgithub.com/modxcms/revolution/issues/15237
WEB