CVE-2025-28010
MEDIUM5.4EPSS 0.19%MODX allows cross-site scripting (XSS) via an SVG file
Published: 3/13/2025Modified: 3/19/2025
Also known as:GHSA-hm54-fg2w-2g6j
Description
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
Affected packages (1)
- Packagist/modx/revolutionfrom 0, <= 3.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |