Page 24 of 142 results (0.003 seconds)

CVSS: 3.5EPSS: 0%CPEs: 29EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. Múltiples vulnerabilidades de XSS en lib/javascript-static.js en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través de un atributo (1) alt o (2) title en un elemento IMG. Moodle suffers from persistent cross site scripting vulnerabilities. Input passed to the POST parameters 'config_title' and 'title' thru index.php, are not properly sanitized allowing the attacker to execute HTML or JS code into user's browser session on the affected site. Affected components: Blocks, Glossary, RSS and Tags. • https://www.exploit-db.com/exploits/36418 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144 http://openwall.com/lists/oss-security/2015/03/16/1 https://moodle.org/mod/forum/discuss.php?d=307383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 2.1EPSS: 0%CPEs: 19EXPL: 0

webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. webservice/upload.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no asegura que una subida de ficheros es para una área privada o de borrador, lo que permite a usuarios remotos autenticados subir ficheros que contienen JavaScript, y como consecuencia realizar ataques de XSS, al especificar la área de la imagen de perfil. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 19EXPL: 0

Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. Múltiples vulnerabilidades de CSRF en el módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permiten a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para una solicitud (1) mod/lti/request_tool.php o (2) mod/lti/instructor_edit_tool_type.php. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275162 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.0EPSS: 0%CPEs: 19EXPL: 0

mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. mod/forum/externallib.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no verifica permisos de grupos, lo que permite a usuarios remotos autenticados acceder a un foro a través del servicio web forum_get_discussions. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275159 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.0EPSS: 0%CPEs: 19EXPL: 0

lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. lib/classes/grades_external.php en Moodle 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/grade:viewhidden antes de mostrar notas escondidas, lo que permite a usuarios remotos autenticados obtener información sensible mediante el aprovechamiento de la lista de estudiantes para acceder al servicio web get_grades. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275153 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •