Summary: | <www-apps/moodle-{2.3.9,2.4.6,2.5.2} : Multiple Vulnerabilities (CVE-2013-{3630,4313,4341,5674}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/54693/ | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-09-10 16:04:46 UTC
The newer versions are on the tree and the older vulnerable versions have been removed. Excellent, thank you. Closing noglsa. CVE-2013-5674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5674): badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. CVE-2013-4341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4341): Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. CVE-2013-4313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4313): Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. CVE-2013-3630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3630): Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. |