CVE-2016-10037 Information

Description

Directory traversal in /connectors/index.php in MODX Revolution before 2.5.2-pl allows remote attackers to perform local file inclusion/traversal/manipulation via a crafted id (aka dir) parameter related to browser/directory/getlist.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference

http://www.securityfocus.com/bid/95127 https://github.com/modxcms/revolution/pull/13177 https://raw.githubusercontent.com/modxcms/revolution/v2.5.2-pl/core/docs/changelog.txt

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

7.3