CVSS: 3.5EPSS: 0%CPEs: 61EXPL: 0CVE-2014-2571
https://notcve.org/view.php?id=CVE-2014-2571
Cross-site scripting (XSS) vulnerability in the quiz_question_tostring function in mod/quiz/editlib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to inject arbitrary web script or HTML via a quiz question. Vulnerabilidad de XSS en la función quiz_question_tostring en mod/quiz/editlib.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.9, 2.5.x anterior a 2.5.5 y 2.6.x anterior a 2.6.2 permite a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a través de una pregunta de cuestionario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690 http://openwall.com/lists/oss-security/2014/03/17/1 https://moodle.org/mod/forum/discuss.php?d=256416 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 91EXPL: 0CVE-2013-7341
https://notcve.org/view.php?id=CVE-2013-7341
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342. Múltiples vulnerabilidades de XSS en Flowplayer Flash anterior a 3.2.17, utilizado en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.9, 2.5.x anterior a 2.5.5 y 2.6.x anterior a 2.6.2, permiten a atacantes remotos inyectar script Web o HTML arbitrarios (1) proporcionando un playerId manipulado o (2) referenciando un dominio externo, un problema relacionado con CVE-2013-7342. • http://flash.flowplayer.org/documentation/version-history.html http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344 http://openwall.com/lists/oss-security/2014/03/17/1 https://github.com/flowplayer/flash/issues/121 https://moodle.org/mod/forum/discuss.php?d=256420 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 61EXPL: 0CVE-2014-0122
https://notcve.org/view.php?id=CVE-2014-0122
mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator. mod/chat/chat_ajax.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.9, 2.5.x anterior a 2.5.5 y 2.6.x anterior a 2.6.2 no comprueba debidamente la funcionalidad mod/chat:chat durante sesiones de chat, lo que permite a usuarios remotos autenticados evadir restricciones de acceso en circunstancias oportunistas permaneciendo en una sesión de chat después de una eliminación de funcionalidad intrasesión por un administrador. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082 http://openwall.com/lists/oss-security/2014/03/17/1 https://moodle.org/mod/forum/discuss.php?d=256418 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 59EXPL: 0CVE-2014-0010
https://notcve.org/view.php?id=CVE-2014-0010
Multiple cross-site request forgery (CSRF) vulnerabilities in user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote attackers to hijack the authentication of administrators for requests that delete (1) categories or (2) fields. Múltiples vulnerabilidades de CSRF en user/profile/index.php en Moodle hasta la versión 2.2.11, 2.3.x anterior a 2.3.11, 2.4.x anterior a la versión 2.4.8, 2.5.x anterior a 2.5.4, y 2.6.x anterior a la versión 2.6.1 permite a atacantes remotos secuestrar la autenticación de administradores para peticiones que eliminen (1) categorías o (2) campos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883 http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127533.html http://openwall.com/lists/oss-security/2014/01/20/1 http://osvdb.org/102261 http://www.securitytracker.com/id/1029649 https://moodle.org/mod/forum/discuss.php?d=252416 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 57EXPL: 0CVE-2014-0009
https://notcve.org/view.php?id=CVE-2014-0009
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request. course/loginas.php en Moodle hasta 2.2.11, 2.3.x antes de 2.3.11, 2.4.x antes de 2.4.8, 2.5.x antes de 2.5.4 y 2.6.x antes de 2.6.1 no fuerza el reuiisto moodle/site:accessallgroups para los usuarios de fuera del grupo en una configuración SEPARATEGROUPS, que permite a los usuarios remotos autenticados para realizar acciones "login como" mediante una petición directa. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643 http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127533.html http://openwall.com/lists/oss-security/2014/01/20/1 http://www.securitytracker.com/id/1029648 https://moodle.org/mod/forum/discuss.php?d=252415 • CWE-264: Permissions, Privileges, and Access Controls •