CVSS: 3.5EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7830
https://notcve.org/view.php?id=CVE-2014-7830
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. Vulnerabilidad de XSS en mod/feedback/mapcourse.php en el módulo Feedback en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios mediante el aprovechamiento de la funcionalidad mod/feedback:mapcourse para proporcionar un parámetro searchcourse. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securityfocus.com/bid/71119 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275147 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.1EPSS: 0%CPEs: 19EXPL: 0CVE-2014-7835
https://notcve.org/view.php?id=CVE-2014-7835
webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area. webservice/upload.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no asegura que una subida de ficheros es para una área privada o de borrador, lo que permite a usuarios remotos autenticados subir ficheros que contienen JavaScript, y como consecuencia realizar ataques de XSS, al especificar la área de la imagen de perfil. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275161 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 72EXPL: 0CVE-2014-3617
https://notcve.org/view.php?id=CVE-2014-3617
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. La función forum_print_latest_discussions en mod/forum/lib.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.8, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.2 permite a usuarios remotos autenticados evadir los requisitos individuales de 'answer-posting' sin la capacidad mod/forum:viewqandawithoutposting, y descubrir el nombre de usuario de un autor, mediante el aprovechamiento del rol estudiante y visitar el foro Q&A. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 http://openwall.com/lists/oss-security/2014/09/15/1 https://moodle.org/mod/forum/discuss.php?d=269591 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3548
https://notcve.org/view.php?id=CVE-2014-3548
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog. Múltiples vulnerabilidades de XSS en Moodle through 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que provocan un dialogo de excepciones AJAX . • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471 http://openwall.com/lists/oss-security/2014/07/21/1 http://www.securityfocus.com/bid/68766 https://moodle.org/mod/forum/discuss.php?d=264270 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 35EXPL: 0CVE-2014-3553
https://notcve.org/view.php?id=CVE-2014-3553
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. mod/forum/classes/post_form.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 no fuerza el requisito de capacidad moodle/site:accessallgroups antes de seguir con una publicación a todos los grupos, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso mediante el aprovechamiento de dos o más pertenencias a grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264268 • CWE-264: Permissions, Privileges, and Access Controls •