CVSS: 4.9EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3553
https://notcve.org/view.php?id=CVE-2014-3553
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. mod/forum/classes/post_form.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 no fuerza el requisito de capacidad moodle/site:accessallgroups antes de seguir con una publicación a todos los grupos, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso mediante el aprovechamiento de dos o más pertenencias a grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264268 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 30EXPL: 0CVE-2014-3552
https://notcve.org/view.php?id=CVE-2014-3552
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. El plugin Shibboleth Authentication en auth/shibboleth/index.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11 y 2.5.x anterior a 2.5.7 no comprueba si un ID de sesión está vacío, lo que permite a usuarios remotos autenticados secuestrar sesiones a través de interacciones manipuladas de plugins. • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264261 • CWE-287: Improper Authentication •
CVSS: 5.0EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3546
https://notcve.org/view.php?id=CVE-2014-3546
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 no fuerza ciertos requisitos de capacidad en (1) notes/index.php y (2) user/edit.php, lo que permite a atacantes remotos obtener información potencialmente sensible de nombres de usuarios y cursos a través de una URL modificado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264267 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3545
https://notcve.org/view.php?id=CVE-2014-3545
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a usuarios remotos autenticados ejecutar código arbitrario a través de una pregunta calculada en un cuestionario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264266 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 3.5EPSS: 0%CPEs: 35EXPL: 1CVE-2014-3551
https://notcve.org/view.php?id=CVE-2014-3551
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. Múltiples vulnerabilidades de XSS en la implementación advanced-grading en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un (1) campo qualification manipulado o (2) campo rating manipulado en un epígrafe. • https://github.com/JavaGarcia/CVE-2014-3551 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223 http://openwall.com/lists/oss-security/2014/07/21/1 http://www.securityfocus.com/bid/68763 https://moodle.org/mod/forum/discuss.php?d=264273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •