| Summary: | www-apps/moodle: Multiple vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | blueness, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | ~2 [noglsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Kristian Fiskerstrand (RETIRED)
2016-11-10 16:17:59 UTC
CVE-2016-9188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9188): Cross-site scripting (XSS) vulnerabilities in Moodle CMS on or before 3.1.2 allow remote attackers to inject arbitrary web script or HTML via the s_additionalhtmlhead, s_additionalhtmltopofbody, and s_additionalhtmlfooter parameters. CVE-2016-9187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9187): Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. CVE-2016-9186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9186): Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, and then accessing it via unspecified vectors. commit 6a86f651594abfc160c6b6e25954774be1903ca0 Author: Anthony G. Basile <blueness@gentoo.org> Date: Sun Nov 13 08:28:19 2016 -0500 www-apps/moodle: version bumps to 2.7.17, 2.9.9, 3.0.7, 3.1.3, bug #599408. Package-Manager: portage-2.3.0 Also the vulnerable versions are off the tree. |