Page 36 of 379 results (0.019 seconds)

CVSS: 3.5EPSS: 0%CPEs: 118EXPL: 1

Cross-site scripting (XSS) vulnerability in message/lib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted message. Vulnerabilidad de XSS en message/lib.php en Moodle hasta la versión 2.2.11, 2.3.x anterior a la versión 2.3.10, 2.4.x anterior a 2.4.7, y 2.5.x anterior a la versión 2.5.3 permite a usuarios remotos autenticados inyectar script web o HTML arbitrario a través de un mensaje manipulado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941 http://openwall.com/lists/oss-security/2013/11/25/1 https://moodle.org/mod/forum/discuss.php?d=244480 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.6EPSS: 2%CPEs: 116EXPL: 2

Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. Moodle a través de 2.5.2 permite a los administradores remotos autenticados ejecutar programas arbitrarios mediante la configuración de la ruta aspell y luego desencadenar una operación de corrección ortográfica en el editor TinyMCE. • https://www.exploit-db.com/exploits/29324 http://packetstormsecurity.com/files/164479/Moodle-Authenticated-Spelling-Binary-Remote-Code-Execution.html https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-foss-disclosures-part-one https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 29EXPL: 0

Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. Moodle desde 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2 no previene el uso de caracteres "\0" en cadenas de busqueda lo que podría permitir a atacantes remotos dirigir un ataque de inyección SQL contra Microsoft SQL Server a través de una cadena manipulada • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676 https://moodle.org/mod/forum/discuss.php?d=238396 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. badges/external.php en Moodle 2.5.x anteriores a 2.5.2 no maneja adecuadamente un objeto obtenido deserializando una descripción de badge externo, lo que permite a un atacante remoto realizar ataques de inyección de objeto en PHP a través de vectores no especificados, como fué demostrado sobreescribiendo el valor del parámetro userid. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924 https://moodle.org/mod/forum/discuss.php?d=238397 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.8EPSS: 0%CPEs: 29EXPL: 0

repository/s3/S3.php in the Amazon S3 library in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to an incorrect CURLOPT_SSL_VERIFYHOST value. repository/s3/S3.php en Amazon S3 library en Moodle de la 2.2.11, 2.3.x anterior a 2.3.9, 2.4.x anterior a 2.4.6, y 2.5.x anterior a 2.5.2, no verifica que el nombre de host coincida con el nombre de dominio en el Common Name (CN) o el campo subjectAltName del certificado X.509, lo que permite a atacantes "man-in-the-middle" suplantar a los servidores SSL a través de un certificado válido de su elección, relacionado con un valor incorrecto de CURLOPT_SSL_VERIFYHOST. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615 http://www.openwall.com/lists/oss-security/2013/01/03/1 https://moodle.org/mod/forum/discuss.php?d=238393 • CWE-20: Improper Input Validation •