Description

badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.

Remediation

References

CVE-2013-5674

Related Vulnerabilities

WordPress Plugin WPML (WordPress Multilingual) Cross-Site Request Forgery (4.3.6)

Drupal Improper Neutralization of Special Elements used in a Command ('Command Injection') Vulnerability (CVE-2020-13664)

WordPress Plugin RestroPress-Online Food Ordering System Security Bypass (2.8.3)

Apache HTTP Server Uncontrolled Resource Consumption Vulnerability (CVE-2009-1891)

WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (6.0.3.3)

Severity

High

Classification

CVE-2013-5674 CWE-94

Tags

Missing Update Known Vulnerabilities