CVE-2020-25911: 
PHP vulnerability analysis and mitigation

A XML External Entity (XXE) vulnerability (CVE-2020-25911) was discovered in the modRestServiceRequest component in MODX CMS 2.7.3. The vulnerability was disclosed on October 31, 2021, affecting MODX Revolution CMS version 2.7.3. This security flaw could potentially lead to information disclosure or denial of service (DOS) attacks (NVD, CVE).

The vulnerability exists in the core/model/modx/rest/modrestservice.class.php file, specifically in the collectRequestParameters function. When processing content with the text/xml content type, user input is parsed directly without proper sanitization using simplexmlloadstring(), leading to potential XXE attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) and a CVSS v2.0 base score of 6.4 (MEDIUM) (NVD, [Github Disclosure](https://github.com/dahua966/Vuldisclose/blob/main/XXE_modxcms.md)).

The exploitation of this vulnerability could result in unauthorized information disclosure or denial of service (DOS) attacks. Due to the nature of XXE vulnerabilities, attackers could potentially access sensitive system files or cause service disruption through resource exhaustion (NVD).

The vulnerability has been addressed in subsequent versions of MODX CMS. Users are advised to upgrade to a patched version of the software. The fix involves implementing proper XML parsing security controls (Github Issue).