CVE-2017-9067: MODX Revolution Directory Traversal Vulnerability

May 17, 2022 (updated April 22, 2025)

In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker is able to include and execute arbitrary files on the web server due to insufficient validation of the action parameter to setup/index.php, aka directory traversal.

References

citadelo.com/en/2017/04/modx-revolution-cms
github.com/advisories/GHSA-cgrv-6h2h-6f7v
github.com/modxcms/revolution
github.com/modxcms/revolution/pull/13422
github.com/modxcms/revolution/pull/13428
nvd.nist.gov/vuln/detail/CVE-2017-9067

Code Behaviors & Features

Detect and mitigate CVE-2017-9067 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →