CVE-2017-9071: MODX Revolution XSS via HTTP Host header

May 17, 2022 (updated April 22, 2025)

In MODX Revolution before 2.5.7, an attacker might be able to trigger XSS by injecting a payload into the HTTP Host header of a request. This is exploitable only in conjunction with other issues such as Cache Poisoning.

References

citadelo.com/en/2017/04/modx-revolution-cms
github.com/advisories/GHSA-p2j4-vrgx-96qg
github.com/modxcms/revolution
github.com/modxcms/revolution/pull/13426
nvd.nist.gov/vuln/detail/CVE-2017-9071

Code Behaviors & Features

Detect and mitigate CVE-2017-9071 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →