CVSS: 6.0EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4301
https://notcve.org/view.php?id=CVE-2009-4301
mnet/lib.php in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7, when MNET services are enabled, does not properly check permissions, which allows remote authenticated servers to execute arbitrary MNET functions. mnet/lib.php en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7, cuando los servicios MNET están activados, no chequea adecuadamente los permisos, lo que permite a servidores remotos autenticados ejecutar funciones MNET arbitrarias. • http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.16.2.10&r2=1.16.2.11 http://cvs.moodle.org/moodle/mnet/lib.php?r1=1.9.2.7&r2=1.9.2.8 http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139106 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.c • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4297
https://notcve.org/view.php?id=CVE-2009-4297
Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 permite a atacantes remotos secuestrar la autenticación de victimas inespecíficas a través de vectores desconocidos. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139100 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4302
https://notcve.org/view.php?id=CVE-2009-4302
login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing. login/index_form.html en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 enlaza a una pagina inicial en un puerto HTTP incluso cuando la pagina es servida desde un puerto HTTPS, lo que podría causar que las credenciales fuesen enviadas en texto plano, incluso cuando el envío SSl este previsto, lo que permitiría atacantes obtener esas credenciales mediante la interceptación. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139107 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-310: Cryptographic Issues •
CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4303
https://notcve.org/view.php?id=CVE-2009-4303
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password hashes and (2) unspecified "secrets" in backup files, which might allow attackers to obtain sensitive information. Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 almacena (1) los hashes de las contraseñas y (2) "secretos" sin especificar en ficheros de copias de seguridad, lo que permitiría a atacantes obtener información sensible. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139110 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 15EXPL: 0CVE-2009-4304
https://notcve.org/view.php?id=CVE-2009-4304
Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random password salt in config.php, which makes it easier for attackers to conduct brute-force password guessing attacks. Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 no utiliza variación aleatorio de contraseñas en config.php, lo que hace mas facil para los atacantes dirigir un ataque de fuerza bruta contra la contraseña. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139111 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-255: Credentials Management Errors •