This host is running Moodle and is prone to Cross-Site Scripting and Cross Site Request Forgery Vulnerabilities.

Successful exploitation will allow attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site and to gain knowledge of sensitive information or to conduct cross-site request forgery attacks. Impact Level: Application.

Upgrade to Moodle version 1.8.13 or 1.9.9 or later For updates refer to http://moodle.org/downloads/

The flaws are due to, - Certain input passed to the 'MNET' access control interface is not properly sanitised before being used. - Improper validation of user supplied data to the 'blog/index.php' page, which allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. - Error in 'KSES text cleaning filter' in 'lib/weblib.php' which fails to properly handle 'vbscript URIs', which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input. - Allowing users to perform certain actions via 'HTTP requests' without performing any validity checks to verify the requests. This can be exploited to delete certain quiz reports by tricking a user into visiting a specially crafted site.

Moodle version 1.8.x prior to 1.8.13 Moodle version 1.9.x prior to 1.9.9

• http://secunia.com/advisories/40248
• http://www.openwall.com/lists/oss-security/2010/06/21/2
• http://www.vupen.com/english/advisories/2010/1530

---

Updated on 2015-03-25