CVE-2014-9059
https://notcve.org/view.php?id=CVE-2014-9059
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts. lib/setup.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona información charset en cabeceras HTTP, lo que podría permitir a atacantes remotos realizar ataques de XSS a través de caracteres UTF-7 durante la interacción con secuencias de comandos AJAX. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securityfocus.com/bid/71133 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3617
https://notcve.org/view.php?id=CVE-2014-3617
The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum. La función forum_print_latest_discussions en mod/forum/lib.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.8, 2.6.x anterior a 2.6.5, y 2.7.x anterior a 2.7.2 permite a usuarios remotos autenticados evadir los requisitos individuales de 'answer-posting' sin la capacidad mod/forum:viewqandawithoutposting, y descubrir el nombre de usuario de un autor, mediante el aprovechamiento del rol estudiante y visitar el foro Q&A. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619 http://openwall.com/lists/oss-security/2014/09/15/1 https://moodle.org/mod/forum/discuss.php?d=269591 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3542
https://notcve.org/view.php?id=CVE-2014-3542
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. mod/lti/service.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a atacantes remotos leer ficheros arbitrarios a través de una declaración de entidad externa XML en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE). • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264263 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-3553
https://notcve.org/view.php?id=CVE-2014-3553
mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. mod/forum/classes/post_form.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 no fuerza el requisito de capacidad moodle/site:accessallgroups antes de seguir con una publicación a todos los grupos, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso mediante el aprovechamiento de dos o más pertenencias a grupos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264268 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3550
https://notcve.org/view.php?id=CVE-2014-3550
Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task. Múltiples vulnerabilidades de XSS en admin/tool/task/scheduledtasks.php en Moodle 2.7.x anterior a 2.7.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que provocan un (1) error manipulado o (2) mensaje de éxito manipulado para una tarea programada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227 http://openwall.com/lists/oss-security/2014/07/21/1 http://www.securityfocus.com/bid/68762 https://moodle.org/mod/forum/discuss.php?d=264272 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •