Page 23 of 142 results (0.013 seconds)

CVSS: 3.5EPSS: 0%CPEs: 35EXPL: 0

mod/quiz/db/access.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not set the RISK_XSS bit for graders, which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via crafted gradebook feedback during manual quiz grading. mod/quiz/db/access.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 no configura el bit RISK_XSS para graduadores, lo que permite a usuarios remotos autenticados realizar ataques de XSS a través de comentarios (feedback) manipulados del libro de notas durante la graduación manual de cuestionarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74719 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313681 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 29EXPL: 0

mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. mdeploy.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 permite a usuarios remotos autenticados evadir las restricciones de acceso y extraer archivos a directorios arbitrarios a través de un valor dataroot manipulado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087 http://openwall.com/lists/oss-security/2015/03/16/1 https://moodle.org/mod/forum/discuss.php?d=307381 • CWE-284: Improper Access Control •

CVSS: 6.8EPSS: 0%CPEs: 27EXPL: 0

Directory traversal vulnerability in the min_get_slash_argument function in lib/configonlylib.php in Moodle through 2.5.9, 2.6.x before 2.6.8, 2.7.x before 2.7.5, and 2.8.x before 2.8.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the file parameter, as demonstrated by reading PHP scripts. Vulnerabilidad de salto de directorio en la función min_get_slash_argument en lib/configonlylib.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.8, 2.7.x anterior a 2.7.5, y 2.8.x anterior a 2.8.3 permite a usuarios remotos autenticados leer ficheros arbitrarios a través de un .. (punto punto) en el parámetro file, tal y como fue demostrado mediante la lectura de secuencias de comandos PHP. • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=af9a7937cc085f96bdbc4724cadec6eeae0242fc http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980 http://openwall.com/lists/oss-security/2015/02/04/15 http://openwall.com/lists/oss-security/2015/02/09/2 https://moodle.org/mod/forum/discuss.php?d=279956 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.0EPSS: 0%CPEs: 35EXPL: 0

files/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 does not consider the moodle/user:manageownfiles capability before approving a private-file upload, which allows remote authenticated users to bypass intended file-management restrictions by using web services to perform uploads after this capability has been revoked. files/externallib.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 no considera la capacidad moodle/user:manageownfiles antes de aprobar una subida de ficheros privados, lo que permite a usuarios remotoa autenticados evadir las restricciones de la gestión de ficheros mediante el uso de servicios web para realizar subidas después de que esta capacidad haya sido revocada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74728 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313688 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 3.5EPSS: 0%CPEs: 35EXPL: 0

login/confirm.php in Moodle through 2.5.9, 2.6.x before 2.6.11, 2.7.x before 2.7.8, and 2.8.x before 2.8.6 allows remote authenticated users to bypass intended login restrictions by leveraging access to an unconfirmed suspended account. login/confirm.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.11, 2.7.x anterior a 2.7.8, y 2.8.x anterior a 2.8.6 permite a usuarios remotos autenticados evadir las restricciones de inicio de sesión mediante el aprovechamiento del acceso a una cuenta suspendida no confirmada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090 http://openwall.com/lists/oss-security/2015/05/18/1 http://www.securityfocus.com/bid/74725 http://www.securitytracker.com/id/1032358 https://moodle.org/mod/forum/discuss.php?d=313686 • CWE-264: Permissions, Privileges, and Access Controls •