CVE-2025-28010: XSS
First published: Thu Mar 13 2025(Updated: )
A cross-site scripting (XSS) vulnerability has been identified in MODX prior to 3.1.0. The vulnerability allows authenticated users to upload SVG files containing malicious JavaScript code as profile images, which gets executed in victims' browsers when viewing the profile image.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/modx/revolution | <=3.1.0 | |
| Modx Modx | <=3.1.0 | |
| Modx Modx | <3.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2025-28010?
CVE-2025-28010 has a medium severity rating due to its potential for cross-site scripting attacks.
How do I fix CVE-2025-28010?
To fix CVE-2025-28010, upgrade your MODX installation to version 3.1.0 or higher.
Who is affected by CVE-2025-28010?
CVE-2025-28010 affects all versions of MODX prior to 3.1.0.
What type of vulnerability is CVE-2025-28010?
CVE-2025-28010 is categorized as a cross-site scripting (XSS) vulnerability.
What can attackers do with CVE-2025-28010?
Attackers can exploit CVE-2025-28010 to execute malicious JavaScript in the browsers of users viewing an affected profile image.
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/references
- agent/source
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hm54-fg2w-2g6j
- alias/CVE-2025-28010
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- source/NVD
- agent/weakness
- agent/tags
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/guess-ai
- package-manager/composer
- vendor/modx
- canonical/modx modx
- version/modx modx/3.1.0