CVE-2014-7847
https://notcve.org/view.php?id=CVE-2014-7847
iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address. iplookup/index.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permite a atacantes remotos causar una denegación de servicio (consumo de recursos) mediante la provocación del cálculo de una latitud y longitud estimadas para una dirección IP. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275158 • CWE-399: Resource Management Errors •
CVE-2014-7848
https://notcve.org/view.php?id=CVE-2014-7848
lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. lib/phpunit/bootstrap.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 permite a atacantes remotos obtener información sensible a través de una solicitud directa, lo que revela la ruta completa en un mensaje de error. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275160 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-9060
https://notcve.org/view.php?id=CVE-2014-9060
The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php. El módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no restringe debidamente los parámetros utilizados en una URL de retorno, lo que permite a atacantes remotos provocar la generación de mensajes arbitrarios a través de una URL modificada, relacionado con mod/lti/locallib.php and mod/lti/return.php. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275165 • CWE-20: Improper Input Validation •
CVE-2014-7846
https://notcve.org/view.php?id=CVE-2014-7846
tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. tag/tag_autocomplete.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/tag:edit antes de añadir una etiqueta, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso a través de una solicitud AJAX. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275157 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-9059
https://notcve.org/view.php?id=CVE-2014-9059
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. lib/setup.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona información charset en cabeceras HTTP, lo que podría permitir a atacantes remotos realizar ataques de XSS a través de caracteres UTF-7 durante la interacción con secuencias de comandos AJAX. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securityfocus.com/bid/71133 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •