CVE-2012-3388
https://notcve.org/view.php?id=CVE-2012-3388
The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. La función is_enrolled en lib/accesslib.php en Moodle v2.2.x anteriores a v2.2.4 y v2.3.x anteriores a v2.3.1 no interactúa de forma adecuada con la característica de cacheado, lo qe podría permitir a usuarios remotos autenticados evitar el control de capacidad a través de vectores que provocan un cacheado del registro de usuario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33916 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76955 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-3389
https://notcve.org/view.php?id=CVE-2012-3389
Multiple cross-site scripting (XSS) vulnerabilities in mod/lti/typessettings.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) lti_typename or (2) lti_toolurl parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en mod/lti/typessettings.php en Moodle v2.2.x anteriores a v2.2.4 y v2.3.x anteriores a v2.3.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) lti_typename o (2) lti_toolurl. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31692 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-3397
https://notcve.org/view.php?id=CVE-2012-3397
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. lib/modinfolib.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteiores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 no comprueban los requisitos para un grupo de miembros cuando una actividad no está disponible u oculta, lo que permite a usuarios remotos autenticados evitar las restricciones de acceso especificadas seleccionando una actividad que está configurada para un grupo de otros usuarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33466 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76963 • CWE-264: Permissions, Privileges, and Access Controls •