Summary
This host is running Moodle and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote attackers to inject arbitrary web script or HTML via a crafted URL.
Impact level: System/Application
Solution
Upgrade to latest version 1.8.12, 1.9.8
http://download.moodle.org/
Insight
- Input data passed to add_to_log() function in wiki module in 'mod/wiki/view.php' and 'lib/form/selectgroups.php' is not properly sanitised before being used in SQL query.
- Error in 'user/view.php', which fails to check role.
- Error in 'phpCAS client library', allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
- Error in 'fix_non_standard_entities' function in the 'KSES HTML text cleaning library', allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities.
Affected
Moodle version 1.8.x prior to 1.8.12
Moodle version 1.9.x prior to 1.9.8
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-1614, CVE-2010-1615, CVE-2010-1617, CVE-2010-1618, CVE-2010-1619 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache Tomcat/JBoss EJBInvokerServlet / JMXInvokerServlet (RMI over HTTP) Marshalled Object Remote Code Execution
- admin.cgi overflow
- ArticleSetup Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
- Adobe ColdFusion Components (CFC) Denial Of Service Vulnerability