CVE-2008-3325
https://notcve.org/view.php?id=CVE-2008-3325
Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page. Vulnerabilidad de falsificación de petición en sitios cruzados (CSFR) en Moodle 1.6.x versiones anteriores a la 1.6.7 y 1.7.x versiones anteriores a la 1.7.5, permite a atacantes remotos modificar el perfil de la configuración y obtener privilegios como otro usuario a través de un enlace o etiqueta IMG de la página de edición del perfil de usuario. • http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00001.html http://moodle.org/mod/forum/discuss.php?d=101405 http://secunia.com/advisories/31196 http://secunia.com/advisories/31339 http://www.debian.org/security/2008/dsa-1691 http://www.procheckup.com/Vulnerability_PR08-16.php http://www.securityfocus.com/archive/1/494658/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/43964 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-3326
https://notcve.org/view.php?id=CVE-2008-3326
Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title). Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en blog/edit.php en Moodle 1.6.x anterior a 1.6.7 y 1.7.x anterior a 1.7.5, permite a atacantes remotos inyectar secuencias de comandos Web o HTML de su elección mediante el parámetro etitle (título de la entrada del blog - blog entry title). • http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00001.html http://moodle.org/mod/forum/discuss.php?d=101401 http://secunia.com/advisories/31196 http://secunia.com/advisories/31339 http://www.debian.org/security/2008/dsa-1691 http://www.procheckup.com/Vulnerability_PR08-13.php http://www.securityfocus.com/archive/1/494656/100/0/threaded http://www.securityfocus.com/bid/30348 https://exchange.xforce.ibmcloud.com/vulnerabilities/43961 https://www.exploit-db.com/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1502
https://notcve.org/view.php?id=CVE-2008-1502
The _bad_protocol_once function in phpgwapi/inc/class.kses.inc.php in KSES, as used in eGroupWare before 1.4.003, Moodle before 1.8.5, and other products, allows remote attackers to bypass HTML filtering and conduct cross-site scripting (XSS) attacks via a string containing crafted URL protocols. La función _bad_protocol_once en el archivo phpgwapi/inc/class.kses.inc.php en KSES, como es usado en eGroupWare versiones anteriores a 1.4.003, Moodle versiones anteriores a 1.8.5 y otros productos, permite a los atacantes remotos omitir el filtrado de HTML y conducir ataques de tipo cross-site scripting (XSS) por medio de una cadena que contiene protocolos URL especialmente diseñados. • http://docs.moodle.org/en/Release_Notes#Moodle_1.8.5 http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00006.html http://secunia.com/advisories/29491 http://secunia.com/advisories/30073 http://secunia.com/advisories/30986 http://secunia.com/advisories/31017 http://secunia.com/advisories/31018 http://secunia.com/advisories/31167 http://secunia.com/advisories/32400 http://secunia.com/advisories/32446 http://www.debian.org/security/2008/dsa-1691 http://www& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-0123 – Moodle 1.8.3 - 'install.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-0123
Cross-site scripting (XSS) vulnerability in install.php for Moodle 1.8.3, and possibly other versions before 1.8.4, allows remote attackers to inject arbitrary web script or HTML via the dbname parameter. NOTE: this issue only exists until the installation is complete. Vulnerabilidad de cruce de directorios (XSS) en install.php de Moodle 1.8.3, y posiblemente otras versiones anteriores a la 1.8.4. Permite que atacantes remotos inyecten, a su elección, códigos web o HTML a traves del parámetro dbname. NOTA: este problema sólo se produce cuando la instalación se ha completado. • https://www.exploit-db.com/exploits/31020 http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0202.html http://int21.de/cve/CVE-2008-0123-moodle.html http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00003.html http://secunia.com/advisories/28838 http://www.securityfocus.com/archive/1/486198/100/0/threaded http://www.securityfocus.com/bid/27259 http://www.vupen.com/english/advisories/2008/0164 https://exchange.xforce.ibmcloud.com/vulnerabilities/39630 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2006-6626
https://notcve.org/view.php?id=CVE-2006-6626
Cross-site scripting (XSS) vulnerability in an unspecified component of Moodle 1.5 allows remote attackers to inject arbitrary web script or HTML via a javascript URI in the SRC attribute of an IMG element. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. NOTE: It is unclear whether this candidate overlaps CVE-2006-4784 or CVE-2006-4941. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en un componente desconocido del Moodle 1.5 permite a atacantes remotos la inyección de secuencias de comandos web o HTML de su elección a través de un javascript URI en el atributo SRC del elemento IMG. NOTA: la procedencia de esta información es desconocida; los detalles se obtienen a partir de la información de terceros. • http://www.securityfocus.com/bid/21596 http://www.securityfocus.com/data/vulnerabilities/exploits/21596.html •