CVSS: 5.0EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4300
https://notcve.org/view.php?id=CVE-2009-4300
Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the user table, even when the cached hashes are not used by the plugin, which might make it easier for attackers to obtain credentials via unspecified vectors. Múltiples plugins de autenticación sin especificar en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 almacenan los hash MD5 para las contraseñas en la tabla de usuario, incluso cuando los hashes que se cachean no son utilizados por el plugin, lo que haría mas fácil a atacantes obtener credenciales a través de vectores sin especificar. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139105 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 15EXPL: 0CVE-2009-4305
https://notcve.org/view.php?id=CVE-2009-4305
SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an "escaping issue when processing AICC CRS file (Course_Title)." Vulnerabilidad de inyección en el módulo SCORM en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a la v1.9.7 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de de vectores relacionados con un "asunto de escapado cuando se procesa un fichero AICC CRS (Course_Title)." • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139120 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 2%CPEs: 27EXPL: 2CVE-2009-1171 – Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure
https://notcve.org/view.php?id=CVE-2009-1171
The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file. El filtro TeX en Moodle v1.6 anteriores a v1.6.9+, v1.7 anteriores a v1.7.7+, v1.8 anteriores a v1.8.9, y v1.9 anteriores a v1.9.5 permite a atacantes con la intervención del usuario leer ficheros de su elección mediante un comando "input" en secuencia con "$$", provocando que LaTeX incluya el contenido del fichero. • https://www.exploit-db.com/exploits/8297 http://cvs.moodle.org/moodle/filter/tex/filter.php?r1=1.18.4.4&r2=1.18.4.5 http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html http://secunia.com/advisories/34517 http://secunia.com/advisories/34557 http://secunia.com/advisories/34600 http://secunia.com/advisories/35570 http://tracker.moodle.org/browse/MDL-18552 http://www.debian.org/security/2009/dsa-1761 http://www.securityfocus.com/archive/1/5 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 25EXPL: 0CVE-2009-0500
https://notcve.org/view.php?id=CVE-2009-0500
Cross-site scripting (XSS) vulnerability in course/lib.php in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4 allows remote attackers to inject arbitrary web script or HTML via crafted log table information that is not properly handled when it is displayed in a log report. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el archivo course/lib.php en Moodle v1.6 anteriores a la v1.6.9, v1.7 anteriores a v1.7.7, v1.8 anteriores a v1.8.8, y v1.9 anteriores a v1.9.4, que permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través de una tabla de información log manipulada que no está manejada adecuadamente cuando es mostrada en un informe log. • http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://moodle.org/security http://secunia.com/advisories/33955 http://secunia.com/advisories/34418 http://www.debian.org/security/2009/dsa-1724 http://www.openwall.com/lists/oss-security/2009/02/04/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2009-0502
https://notcve.org/view.php?id=CVE-2009-0502
Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php in Snoopy 1.2.3, as used in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4, allows remote attackers to inject arbitrary web script or HTML via an HTML block, which is not properly handled when the "Login as" feature is used to visit a MyMoodle or Blog page. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en blocks/html/block_html.php en Snoopy v1.2.3, como la utilizada en el Moodle v1.6 anterior a v1.6.9, v1.7 anterior a v1.7.7, v1.8 anterior a v1.8.8, y v1.9 anterior a v1.9.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un bloqueo HTML que no es manejado correctamente cuando la característica "Login as" es utilizada para visitar una página MyMoodle o Blog. • http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://moodle.org/security http://secunia.com/advisories/33955 http://secunia.com/advisories/34418 http://www.debian.org/security/2009/dsa-1724 http://www.openwall.com/lists/oss-security/2009/02/04/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •