CVSS: 3.5EPSS: 0%CPEs: 11EXPL: 0CVE-2012-3393
https://notcve.org/view.php?id=CVE-2012-3393
Cross-site scripting (XSS) vulnerability in repository/lib.php in Moodle 2.1.x before 2.1.7 and 2.2.x before 2.2.4 allows remote authenticated administrators to inject arbitrary web script or HTML by renaming a repository. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en repository/lib.php en Moodle v2.1.x anteriores a v2.1.7 y v2.2.x anteriores a v2.2.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML renombrando un repositorio. • http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-33808 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 22EXPL: 0CVE-2012-3396
https://notcve.org/view.php?id=CVE-2012-3396
Cross-site scripting (XSS) vulnerability in cohort/edit_form.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the idnumber field. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2365. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en cohort/edit_form.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo idnumber. NOTA: esta vulnerabilidad existe debido a una mala implementación de la solución para CVE-2012-2365. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34045 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 21EXPL: 0CVE-2012-3395
https://notcve.org/view.php?id=CVE-2012-3395
SQL injection vulnerability in mod/feedback/complete.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, and 2.2.x before 2.2.4 allows remote authenticated users to execute arbitrary SQL commands via crafted form data. Vulnerabilidad de inyección SQL en mod/feedback/complete.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, y v2.2.x anteriores a v2.2.4, permite a atacantes remotos ejecutar comandos SQL de su elección a través de un formulario de datos modificado. • http://git.moodle.org/gw?p=moodle.git&a=search&h=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7&st=commit&s=MDL-27675 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2012-3394
https://notcve.org/view.php?id=CVE-2012-3394
auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. auth/ldap/ntlmsso_attempt.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 redirecciona usuarios desde una dirección URL HTTPS de login LDAP, lo que permite atacantes remotos a obtener información sensible espiando la red. • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76960 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 0%CPEs: 22EXPL: 0CVE-2012-3397
https://notcve.org/view.php?id=CVE-2012-3397
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. lib/modinfolib.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteiores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 no comprueban los requisitos para un grupo de miembros cuando una actividad no está disponible u oculta, lo que permite a usuarios remotos autenticados evitar las restricciones de acceso especificadas seleccionando una actividad que está configurada para un grupo de otros usuarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33466 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76963 • CWE-264: Permissions, Privileges, and Access Controls •