CVSS: 5.8EPSS: 0%CPEs: 29EXPL: 0CVE-2012-6087
https://notcve.org/view.php?id=CVE-2012-6087
repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. repository/s3/S3.php en Amazon S3 library en Moodle de la 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, no verifica que el nombre de host coincida con el nombre de dominio en el Common Name (CN) o el campo subjectAltName del certificado X.509, lo que permite a atacantes "man-in-the-middle" suplantar a los servidores SSL a través de un certificado válido de su elección, relacionado con un valor incorrecto de CURLOPT_SSL_VERIFYHOST. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 http://www.openwall.com/lists/oss-security/2013/01/03/1 https://moodle.org/mod/forum/discuss.php?d=238393 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 2CVE-2013-4341 – Moodle 2.3.8/2.4.5 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-4341
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. Múltiples vulnerabilidades de XSS en Moodle de la versión 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de un enlace al blog dentro de un feed RSS. • https://www.exploit-db.com/exploits/28174 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623 http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.html https://moodle.org/mod/forum/discuss.php?d=238399 https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 10EXPL: 0CVE-2010-4207
https://notcve.org/view.php?id=CVE-2010-4207
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.4.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to charts/assets/charts.swf. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la infraestructura del componente de Flash en YUI v2.4.0 hasta v2.8.1, tal como se emplea en Bugzilla, Moodle y otros productos, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante vectores relacionados con charts/assets/charts.swf. • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html http://moodle.org/mod/forum/discuss.php?d=160910 http://secunia.com/advisories/41955 http://secunia.com/advisories/42271 http://www.bugzilla.org/security/3.2.8 http://www& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2010-4208
https://notcve.org/view.php?id=CVE-2010-4208
Cross-site scripting (XSS) vulnerability in the Flash component infrastructure in YUI 2.5.0 through 2.8.1, as used in Bugzilla, Moodle, and other products, allows remote attackers to inject arbitrary web script or HTML via vectors related to uploader/assets/uploader.swf. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la infraestructura del componente de Flash en YUI v2.5.0 hasta v2.8.1, tal como se emplea en Bugzilla, Moodle y otros productos, permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante vectores relacionados con uploader/assets/uploader.swf • http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050813.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050820.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/050830.html http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html http://moodle.org/mod/forum/discuss.php?d=160910 http://secunia.com/advisories/41955 http://secunia.com/advisories/42271 http://www.bugzilla.org/security/3.2.8 http://www& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •