CVE-2021-36568
https://notcve.org/view.php?id=CVE-2021-36568
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field description" are vulnerable to Cross Site Scripting Stored(XSS). This affects Moodle 3.11 and Moodle 3.10.4 and Moodle 3.9.7. En determinados productos Moodle después de crear un curso, es posible añadir en un "Topic" arbitrario un recurso, en este caso una "Database" con el tipo "Text" donde sus valores "Field name" y "Field description" son vulnerables a un ataque de tipo Cross Site Scripting (XSS) Almacenado. Esto afecta a Moodle versión 3.11 y Moodle versión 3.10.4 y Moodle versión 3.9.7 • https://blog.hackingforce.com.br/en/cve-2021-36568 https://drive.google.com/drive/folders/1_fO4BKpmD3avGYHSzvIXWs5owqVYgB1s?usp=sharing https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ERQ3NHVOK4ZXT4MS4LBQ2ZJHTON3LIMW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PRI4ETMQ4DJR3TZUOOGPBQ32RBD5LNGC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-14320
https://notcve.org/view.php?id=CVE-2020-14320
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk. En Moodle versiones anteriores a 3.9.1, 3.8.4 y 3.7.7, el filtro en el registro de tareas del administrador requería un saneo extra para prevenir un riesgo de tipo XSS reflejado. • https://moodle.org/mod/forum/discuss.php?d=407392 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-1756
https://notcve.org/view.php?id=CVE-2020-1756
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool. En Moodle versiones anteriores a 3.8.2, 3.7.5, 3.6.9 y 3.5.11, era aplicado un escape de entrada insuficiente a la herramienta de administración webrunner de la unidad PHP. • https://moodle.org/mod/forum/discuss.php?d=398352 • CWE-20: Improper Input Validation •
CVE-2020-1755
https://notcve.org/view.php?id=CVE-2020-1755
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks. En Moodle versiones anteriores a 3.8.2, 3.7.5, 3.6.9 y 3.5.11, los encabezados X-Forwarded-For podían usarse para falsificar la IP de un usuario, con el fin de omitir las comprobaciones de direcciones remotas. • https://moodle.org/mod/forum/discuss.php?d=398351 • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2020-14322
https://notcve.org/view.php?id=CVE-2020-14322
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service. En Moodle versiones anteriores a 3.9.1, 3.8.4, 3.7.7 y 3.5.13, yui_combo necesitaba limitar la cantidad de archivos que puede cargar para ayudar a mitigar el riesgo de denegación de servicio. • https://moodle.org/mod/forum/discuss.php?d=407394 • CWE-770: Allocation of Resources Without Limits or Throttling •