CVE-2009-0502
https://notcve.org/view.php?id=CVE-2009-0502
Cross-site scripting (XSS) vulnerability in blocks/html/block_html.php in Snoopy 1.2.3, as used in Moodle 1.6 before 1.6.9, 1.7 before 1.7.7, 1.8 before 1.8.8, and 1.9 before 1.9.4, allows remote attackers to inject arbitrary web script or HTML via an HTML block, which is not properly handled when the "Login as" feature is used to visit a MyMoodle or Blog page. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en blocks/html/block_html.php en Snoopy v1.2.3, como la utilizada en el Moodle v1.6 anterior a v1.6.9, v1.7 anterior a v1.7.7, v1.8 anterior a v1.8.8, y v1.9 anterior a v1.9.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un bloqueo HTML que no es manejado correctamente cuando la característica "Login as" es utilizada para visitar una página MyMoodle o Blog. • http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html http://moodle.org/security http://secunia.com/advisories/33955 http://secunia.com/advisories/34418 http://www.debian.org/security/2009/dsa-1724 http://www.openwall.com/lists/oss-security/2009/02/04/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-4796 – Feed2JS File Disclosure
https://notcve.org/view.php?id=CVE-2008-4796
The _httpsrequest function (Snoopy/Snoopy.class.php) in Snoopy 1.2.3 and earlier, as used in (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost, and possibly other products, allows remote attackers to execute arbitrary commands via shell metacharacters in https URLs. La función _httpsrequest function (Snoopy/Snoopy.class.php) en Snoopy 1.2.3 y versiones anteriores, cuando es usada en (1) ampache, (2) libphp-snoopy, (3) mahara, (4) mediamate, (5) opendb, (6) pixelpost y posiblemente otros productos, permite a atacantes remotos ejecutar comandos arbitrarios a través de metacarácteres shell en URLs https. Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability. • http://jvn.jp/en/jp/JVN20502807/index.html http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000074.html http://secunia.com/advisories/32361 http://sourceforge.net/forum/forum.php?forum_id=879959 http://www.debian.org/security/2008/dsa-1691 http://www.debian.org/security/2009/dsa-1871 http://www.openwall.com/lists/oss-security/2008/11/01/1 http://www.securityfocus.com/archive/1/496068/100/0/threaded http://www.securityfocus.com/bid/31887 http://www.vupen • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2005-3330 – Snoopy 0.9x/1.0/1.2 - Arbitrary Command Execution
https://notcve.org/view.php?id=CVE-2005-3330
The _httpsrequest function in Snoopy 1.2, as used in products such as (1) MagpieRSS, (2) WordPress, (3) Ampache, and (4) Jinzora, allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTPS URL to an SSL protected web page, which is not properly handled by the fetch function. Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability. • https://www.exploit-db.com/exploits/26424 http://marc.info/?l=bugtraq&m=113028858316430&w=2 http://marc.info/?l=bugtraq&m=113062897231412&w=2 http://secunia.com/advisories/17330 http://secunia.com/advisories/17455 http://secunia.com/advisories/17779 http://secunia.com/advisories/17887 http://securityreason.com/securityalert/117 http://securitytracker.com/id?1015104 http://sourceforge.net/project/shownotes.php?release_id=368750 http://sourceforge.net/project/shownotes.php? • CWE-20: Improper Input Validation •