Overview
- Project: Login Extra
- CVE ID: [To be assigned]
- Affected Versions: 1.5.2 through 1.9.13
- Fixed Version: 1.9.14
- Release Date: 2024-11-22
- Severity: Critical
- CVSS v4.0 Score: 9.4
- CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Vulnerability Details
Type
Remote Code Execution (RCE) via PHP Object Injection
Description
A critical vulnerability has been identified in the MODX Login Extra that allows arbitrary PHP code execution through PHP Object Injection. The vulnerability stems from unsafe deserialization of user-supplied data using PHP’s unserialize() function without proper sanitization.
Attack Vector
An authenticated user, regardless of their permission level, can exploit this vulnerability by submitting specially crafted data through the Login form. The vulnerability can be triggered when:
- The system processes user input through the Login form
- The malicious payload is passed to the unsafe
unserialize()function - The resulting PHP object injection leads to arbitrary code execution
Affected Systems
The vulnerability affects MODX Revolution installations that meet ALL of the following criteria:
- Have the Login Extra installed (versions 1.5.2 to 1.9.13)
- Have a web-accessible login form using the Login Extra
- Allow user authentication
Note: Systems with Registration forms using the Login Extra may be particularly vulnerable if user validation is not required.
Mitigation
Immediate Update Required: Upgrade Login Extra to version 1.9.14 or later using the MODX Extras Installer in your MODX Revolution Projects.
Technical Details
The vulnerability exists due to:
- Unsafe usage of PHP’s
unserialize()function - Lack of input validation before deserialization
- Insufficient permission checking in the login process
Credits
- Discovery: Drew Webber
- Resolution: Thomas Jakobi and John Peca
- Coordination: MODX Security Team
Timeline
- Discovery Date: 2024-11-22
- Fix Development: 2024-11-22
- Public Disclosure: 2024-11-22
References
- MODX Security Team Contact: Security Team
- Fixed Version Download: Login 1.9.14
Revision History
- 2024-11-22: Initial advisory publication