CVE-2009-4300
https://notcve.org/view.php?id=CVE-2009-4300
Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the user table, even when the cached hashes are not used by the plugin, which might make it easier for attackers to obtain credentials via unspecified vectors. Múltiples plugins de autenticación sin especificar en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a v1.9.7 almacenan los hash MD5 para las contraseñas en la tabla de usuario, incluso cuando los hashes que se cachean no son utilizados por el plugin, lo que haría mas fácil a atacantes obtener credenciales a través de vectores sin especificar. • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139105 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2009-4305
https://notcve.org/view.php?id=CVE-2009-4305
SQL injection vulnerability in the SCORM module in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to execute arbitrary SQL commands via vectors related to an "escaping issue when processing AICC CRS file (Course_Title)." Vulnerabilidad de inyección en el módulo SCORM en Moodle v1.8 anteriores a v1.8.11 y v1.9 anteriores a la v1.9.7 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de de vectores relacionados con un "asunto de escapado cuando se procesa un fichero AICC CRS (Course_Title)." • http://docs.moodle.org/en/Moodle_1.8.11_release_notes http://docs.moodle.org/en/Moodle_1.9.7_release_notes http://moodle.org/mod/forum/discuss.php?d=139120 http://secunia.com/advisories/37614 http://www.securityfocus.com/bid/37244 http://www.vupen.com/english/advisories/2009/3455 https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html https://www.redhat.com/ar • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2009-1171 – Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure
https://notcve.org/view.php?id=CVE-2009-1171
The TeX filter in Moodle 1.6 before 1.6.9+, 1.7 before 1.7.7+, 1.8 before 1.8.9, and 1.9 before 1.9.5 allows user-assisted attackers to read arbitrary files via an input command in a "$$" sequence, which causes LaTeX to include the contents of the file. El filtro TeX en Moodle v1.6 anteriores a v1.6.9+, v1.7 anteriores a v1.7.7+, v1.8 anteriores a v1.8.9, y v1.9 anteriores a v1.9.5 permite a atacantes con la intervención del usuario leer ficheros de su elección mediante un comando "input" en secuencia con "$$", provocando que LaTeX incluya el contenido del fichero. • https://www.exploit-db.com/exploits/8297 http://cvs.moodle.org/moodle/filter/tex/filter.php?r1=1.18.4.4&r2=1.18.4.5 http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html http://secunia.com/advisories/34517 http://secunia.com/advisories/34557 http://secunia.com/advisories/34600 http://secunia.com/advisories/35570 http://tracker.moodle.org/browse/MDL-18552 http://www.debian.org/security/2009/dsa-1761 http://www.securityfocus.com/archive/1/5 • CWE-20: Improper Input Validation •
CVE-2008-6125
https://notcve.org/view.php?id=CVE-2008-6125
Unspecified vulnerability in the user editing interface in Moodle 1.5.x, 1.6 before 1.6.6, and 1.7 before 1.7.3 allows remote authenticated users to gain privileges via unknown vectors. Vulnerabilidad no especificada en el interface de edición de usuario en Moodel v1.5.x, v1.6 anteriores a v1.6.6, y v1.7 anteriores a v1.7.3 que permite a los usuarios remotos autenticados obtener privilegios a través de vectores desconocidos. • http://moodle.org/mod/forum/discuss.php?d=87971 http://www.debian.org/security/2008/dsa-1691 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2008-6124
https://notcve.org/view.php?id=CVE-2008-6124
SQL injection vulnerability in the hotpot_delete_selected_attempts function in report.php in the HotPot module in Moodle 1.6 before 1.6.7, 1.7 before 1.7.5, 1.8 before 1.8.6, and 1.9 before 1.9.2 allows remote attackers to execute arbitrary SQL commands via a crafted selected attempt. Vulnerabilidad de inyección SQL en la función hotpot_delete_selected_attempts en report.php en el módulo the HotPot en Moodle v1.6 anteriores a 1.6.7, v1.7 anteriores a v1.7.5, v1.8 anteriores v1.8.6, y v1.9 anteriores a v1.9.2 permite a los atacantes ejecutar arbitrariamente comandos SQL a través de un intento seleccionado manipulado. • http://cvs.moodle.org/moodle/mod/hotpot/report.php?r1=1.8.6.1&r2=1.8.6.2 http://moodle.org/mod/forum/discuss.php?d=101402 http://www.debian.org/security/2008/dsa-1691 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •