Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
BID:68763
Info
Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
| Bugtraq ID: | 68763 |
| Class: | Input Validation Error |
| CVE: |
CVE-2014-3551 |
| Remote: | Yes |
| Local: | No |
| Published: | Jul 21 2014 12:00AM |
| Updated: | Apr 13 2015 09:56PM |
| Credit: | Javier E. García Prada |
| Vulnerable: |
Moodle Moodle 2.6.3 Moodle Moodle 2.6.2 Moodle Moodle 2.6.1 Moodle Moodle 2.5.6 Moodle Moodle 2.5.4 Moodle Moodle 2.5.2 Moodle Moodle 2.5.1 Moodle Moodle 2.4.10 Moodle Moodle 2.4.8 Moodle Moodle 2.4.6 Moodle Moodle 2.4.5 Moodle Moodle 2.4.4 Moodle Moodle 2.4.3 Moodle Moodle 2.7 Moodle Moodle 2.6 Moodle Moodle 2.5.5 Moodle Moodle 2.5.3 Moodle Moodle 2.5 Moodle Moodle 2.4.9 Moodle Moodle 2.4.7 Moodle Moodle 2.4.2 Moodle Moodle 2.4.1 Moodle Moodle 2.4 |
| Not Vulnerable: |
Moodle Moodle 2.7.1 Moodle Moodle 2.6.4 Moodle Moodle 2.5.7 Moodle Moodle 2.4.11 |
Discussion
Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
Moodle is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Moodle versions 2.7, 2.6 through 2.6.3, 2.5 through 2.5.6, and 2.4 through 2.4.10 are vulnerable.
Moodle is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Moodle versions 2.7, 2.6 through 2.6.3, 2.5 through 2.5.6, and 2.4 through 2.4.10 are vulnerable.
Exploit / POC
Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
An attacker can exploit these issues by enticing an unsuspecting user to follow a malicious URI.
Solution / Fix
Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Moodle CVE-2014-3551 Multiple Cross Site Scripting Vulnerabilities
References:
References:
- Moodle Homepage (Moodle)
- MSA-14-0032: Cross-site scripting in advanced grading methods (Moodle)
- weekly release 2.8dev (Moodle)