CVE-2014-3552
https://notcve.org/view.php?id=CVE-2014-3552
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. El plugin Shibboleth Authentication en auth/shibboleth/index.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11 y 2.5.x anterior a 2.5.7 no comprueba si un ID de sesión está vacío, lo que permite a usuarios remotos autenticados secuestrar sesiones a través de interacciones manipuladas de plugins. • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264261 • CWE-287: Improper Authentication •
CVE-2014-3546
https://notcve.org/view.php?id=CVE-2014-3546
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 no fuerza ciertos requisitos de capacidad en (1) notes/index.php y (2) user/edit.php, lo que permite a atacantes remotos obtener información potencialmente sensible de nombres de usuarios y cursos a través de una URL modificado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264267 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3545
https://notcve.org/view.php?id=CVE-2014-3545
Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a usuarios remotos autenticados ejecutar código arbitrario a través de una pregunta calculada en un cuestionario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264266 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-3544 – Moodle 2.7 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-3544
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. Vulnerabilidad de XSS en user/profile.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo del perfil de ID de Skype. Moodle version 2.7 suffers from a persistent cross site scripting vulnerability. • https://www.exploit-db.com/exploits/34169 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683 http://openwall.com/lists/oss-security/2014/07/21/1 http://osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss http://osvdb.org/show/osvdb/109337 http://packetstormsecurity.com/files/127624/Moodle-2.7-Cross-Site-Scripting.html http://www.exploit-db.com/exploits/34169 http://www.securityfocus.com/bid/68756 https://github.com/moodle • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0218
https://notcve.org/view.php?id=CVE-2014-0218
Cross-site scripting (XSS) vulnerability in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en el repositorio de URL de descarga en repository/url/lib.php en Moodle hasta 2.3.11, 2.4.x hasta 2.4.10, 2.5.x anterior a 2.5.6 y 2.6.x anterior a 2.6.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332 http://openwall.com/lists/oss-security/2014/05/19/1 http://www.securityfocus.com/bid/67479 https://moodle.org/mod/forum/discuss.php?d=260366 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •