CVSS: 6.1EPSS: 0%CPEs: 24EXPL: 0CVE-2015-5337
https://notcve.org/view.php?id=CVE-2015-5337
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file. Moodle hasta la versión 2.6.11, 2.7.x en versiones anteriores a 2.7.11, 2.8.x en versiones anteriores a 2.8.9 y 2.9.x en versiones anteriores a 2.9.3 no restringe adecuadamente la disponibilidad de Flowplayer, lo que permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) a través de un archivo .swf manipulado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085 https://moodle.org/mod/forum/discuss.php?d=323232 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 18EXPL: 0CVE-2016-0725
https://notcve.org/view.php?id=CVE-2016-0725
Cross-site scripting (XSS) vulnerability in the search_pagination function in course/classes/management_renderer.php in Moodle 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted search string. Vulnerabilidad de XSS en la función search_pagination en course/classes/management_renderer.php en Moodle 2.8.x en versiones anteriores a 2.8.10, 2.9.x en versiones anteriores a 2.9.4 y 3.0.x en versiones anteriores a 3.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una cadena de búsqueda manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552 http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176502.html http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176436.html http://www.openwall.com/lists/oss-security/2016/01/18/1 http://www.securitytracker.com/id/1034694 https://moodle.org/mod/forum/discuss.php?d=326206 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 0CVE-2015-3176
https://notcve.org/view.php?id=CVE-2015-3176
The account-confirmation feature in login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote attackers to obtain sensitive full-name information by attempting to self-register. La característica de la confirmación de cuentas en login/confirm.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 permite a atacantes remotos obtener información sensible de nombres completos mediante el intento de autoregistrarse. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74644 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313683 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.5EPSS: 0%CPEs: 35EXPL: 0CVE-2015-3174
https://notcve.org/view.php?id=CVE-2015-3174
mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. mod/quiz/db/access.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 no configura el bit RISK_XSS para graduadores, lo que permite a usuarios remotos autenticados realizar ataques de XSS a través de comentarios (feedback) manipulados del libro de notas durante la graduación manual de cuestionarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74719 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 35EXPL: 0CVE-2015-3175
https://notcve.org/view.php?id=CVE-2015-3175
Multiple open redirect vulnerabilities in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an error page that links to a URL from an HTTP Referer header. Múltiples vulnerabilidades de la redirección abierta en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 permiten a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a través de vectores que involucran una página de error que vincula a una URL de una cabecera HTTP Referer. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74720 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313682 •