CVSS: 6.8EPSS: 0%CPEs: 118EXPL: 1CVE-2013-4524
https://notcve.org/view.php?id=CVE-2013-4524
Directory traversal vulnerability in repository/filesystem/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to read arbitrary files via a .. (dot dot) in a path. Vulnerabilidad de recorrido de directorio en repository/filesystem/lib.php de Moodle hasta la versión 2.2.11, 2.3.x anterior a la 2.3.10, 2.4.x anterior a la versión 2.4.7, y 2.5.x anterior a 2.5.3 permite a usuarios remotos autenticados leer archivos arbitrarios a través de .. (punto punto) en la ruta. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807 http://openwall.com/lists/oss-security/2013/11/25/1 https://moodle.org/mod/forum/discuss.php?d=244481 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.5EPSS: 0%CPEs: 118EXPL: 1CVE-2013-4525
https://notcve.org/view.php?id=CVE-2013-4525
Cross-site scripting (XSS) vulnerability in mod/quiz/report/responses/responses_table.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via an answer to a text-based quiz question. Vulnerabilidad de XSS en mod/quiz/report/responses/responses_table.php en Moodle hasta la versión 2.2.11, 2.3.x anterior a 2.3.10, 2.4.x anterior a la versión 2.4.7, y 2.5.x anterior a 2.5.3 permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a través de una respuesta hacia una pregunta de cuestionario basada en texto. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820 http://openwall.com/lists/oss-security/2013/11/25/1 https://moodle.org/mod/forum/discuss.php?d=244482 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 2%CPEs: 116EXPL: 3CVE-2013-3630 – Moodle Authenticated Spelling Binary RCE
https://notcve.org/view.php?id=CVE-2013-3630
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. Moodle a través de 2.5.2 permite a los administradores remotos autenticados ejecutar programas arbitrarios mediante la configuración de la ruta aspell y luego desencadenar una operación de corrección ortográfica en el editor TinyMCE. • https://www.exploit-db.com/exploits/29324 http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.html https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/moodle&# • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 29EXPL: 0CVE-2012-6087
https://notcve.org/view.php?id=CVE-2012-6087
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. repository/s3/S3.php en Amazon S3 library en Moodle de la 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, no verifica que el nombre de host coincida con el nombre de dominio en el Common Name (CN) o el campo subjectAltName del certificado X.509, lo que permite a atacantes "man-in-the-middle" suplantar a los servidores SSL a través de un certificado válido de su elección, relacionado con un valor incorrecto de CURLOPT_SSL_VERIFYHOST. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 http://www.openwall.com/lists/oss-security/2013/01/03/1 https://moodle.org/mod/forum/discuss.php?d=238393 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 3CVE-2013-4341 – Moodle Authenticated Spelling Binary RCE
https://notcve.org/view.php?id=CVE-2013-4341
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. Múltiples vulnerabilidades de XSS en Moodle de la versión 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un enlace al blog dentro de un feed RSS. • https://www.exploit-db.com/exploits/28174 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623 http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.html https://moodle.org/mod/forum/discuss.php?d=238399 https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/moodle_spelling_binary_rce.rb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •