CVE-2014-3541
https://notcve.org/view.php?id=CVE-2014-3541
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on. El componente Repositories en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a atacantes remotos realizar ataques de inyección de objetos PHP y ejecutar código arbitrario a través de datos serializados asociados con un complemento. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264262 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-3543
https://notcve.org/view.php?id=CVE-2014-3543
mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. mod/imscp/locallib.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permite a atacantes remotos leer ficheros arbitrarios a través de un paquete con un fichero de manifiesto que contiene una declaración de entidad externa XML en conjunto con una referencia de entidad, relacionado con un problema de entidad externa XML (XXE) que afecta recursos IMSCP y el formato IMSCC. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264264 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-3551
https://notcve.org/view.php?id=CVE-2014-3551
Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. Múltiples vulnerabilidades de XSS en la implementación advanced-grading en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permiten a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un (1) campo qualification manipulado o (2) campo rating manipulado en un epígrafe. • https://github.com/JavaGarcia/CVE-2014-3551 http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223 http://openwall.com/lists/oss-security/2014/07/21/1 http://www.securityfocus.com/bid/68763 https://moodle.org/mod/forum/discuss.php?d=264273 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3548
https://notcve.org/view.php?id=CVE-2014-3548
Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog. Múltiples vulnerabilidades de XSS en Moodle through 2.3.11, 2.4.x anterior a 2.4.11, 2.5.x anterior a 2.5.7, 2.6.x anterior a 2.6.4 y 2.7.x anterior a 2.7.1 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores que provocan un dialogo de excepciones AJAX . • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471 http://openwall.com/lists/oss-security/2014/07/21/1 http://www.securityfocus.com/bid/68766 https://moodle.org/mod/forum/discuss.php?d=264270 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3552
https://notcve.org/view.php?id=CVE-2014-3552
The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. El plugin Shibboleth Authentication en auth/shibboleth/index.php en Moodle hasta 2.3.11, 2.4.x anterior a 2.4.11 y 2.5.x anterior a 2.5.7 no comprueba si un ID de sesión está vacío, lo que permite a usuarios remotos autenticados secuestrar sesiones a través de interacciones manipuladas de plugins. • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485 http://openwall.com/lists/oss-security/2014/07/21/1 https://moodle.org/mod/forum/discuss.php?d=264261 • CWE-287: Improper Authentication •