CVE-2020-25911 – This XXE vulnerability in MODX CMS 2.7.3 allows... (How to Fix)

Q: What is the severity of CVE-2020-25911?

CVE-2020-25911 has a CVSS score of 9.1 (CRITICAL). This XXE vulnerability in MODX CMS 2.7.3 allows attackers to read arbitrary files from the server or cause denial of service by sending specially crafted XML requests to the modRestServiceRequest component. It affects all MODX CMS installations running version 2.7.3 with the vulnerable component enabled. Attackers can exploit this without authentication if the REST service is publicly accessible.

📋 TL;DR

This XXE vulnerability in MODX CMS 2.7.3 allows attackers to read arbitrary files from the server or cause denial of service by sending specially crafted XML requests to the modRestServiceRequest component. It affects all MODX CMS installations running version 2.7.3 with the vulnerable component enabled. Attackers can exploit this without authentication if the REST service is publicly accessible.

💻 Affected Systems

Products:

MODX CMS

Versions: 2.7.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the modRestServiceRequest component to be enabled and accessible. Earlier versions may also be affected but 2.7.3 is confirmed vulnerable.

📦 What is this software?

Modx Revolution by Modx

View all CVEs affecting Modx Revolution →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through sensitive file disclosure (e.g., /etc/passwd, configuration files, database credentials), leading to data theft and potential lateral movement within the network.

🟠

Likely Case

Information disclosure of sensitive server files and potential denial of service through resource exhaustion via entity expansion attacks.

🟢

If Mitigated

Minimal impact if XML external entity processing is disabled or proper input validation/filtering is implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates file disclosure. Exploitation requires sending malicious XML to the REST endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4 and later

Vendor Advisory: https://github.com/modxcms/revolution/issues/15237

Restart Required: No

Instructions:

1. Update MODX CMS to version 2.7.4 or later. 2. Apply the patch from the vendor advisory. 3. Verify the fix by testing XXE payloads against the REST endpoint.

🔧 Temporary Workarounds

Disable XML External Entity Processing

all

Configure the XML parser to disable external entity resolution

Set libxml_disable_entity_loader(true) in PHP configuration
Configure XML parser with FEATURE_SECURE_PROCESSING

Restrict REST Service Access

all

Limit access to modRestServiceRequest endpoints

Use .htaccess to restrict IP access
Implement authentication for REST endpoints

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XXE protection rules
Disable the modRestServiceRequest component entirely if not needed

🔍 How to Verify

Check if Vulnerable:

Send a test XXE payload to the REST endpoint (e.g., POST with XML containing <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><test>&xxe;</test>) and check if file contents are returned.

Check Version:

Check MODX version in manager dashboard or examine core/config/config.inc.php

Verify Fix Applied:

Attempt the same XXE payload after patching; it should return an error or empty response instead of file contents.

📡 Detection & Monitoring

Log Indicators:

Unusual XML requests to REST endpoints
Large XML payloads with DOCTYPE declarations
Requests for known sensitive files in XML parameters

Network Indicators:

XML requests containing SYSTEM entities
HTTP requests with unusual file paths in XML bodies

SIEM Query:

source="web_logs" AND (uri="*rest*" OR uri="*api*") AND (body="*<!DOCTYPE*" OR body="*<!ENTITY*")

📊 Metadata

CVE ID: CVE-2020-25911

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-611

Published: October 31, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.md Exploit,Third Party Advisory
https://github.com/modxcms/revolution/issues/15237 Patch,Third Party Advisory
https://github.com/dahua966/Vul_disclose/blob/main/XXE_modxcms.md Exploit,Third Party Advisory
https://github.com/modxcms/revolution/issues/15237 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25911, you might also want to check these: