ID de Prueba:	1.3.6.1.4.1.25623.1.0.800798
Categoría:	Web application abuses
Título:	Moodle XSS and CSRF Vulnerabilities
Resumen:	Moodle is prone to cross-site ccripting (XSS) and cross-site; request forgery (CSRF) vulnerabilities.
Descripción:	Summary: Moodle is prone to cross-site ccripting (XSS) and cross-site request forgery (CSRF) vulnerabilities. Vulnerability Insight: The flaws are due to: - Certain input passed to the 'MNET' access control interface is not properly sanitised before being used. - Improper validation of user supplied data to the 'blog/index.php' page, which allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. - Error in 'KSES text cleaning filter' in 'lib/weblib.php' which fails to properly handle 'vbscript URIs', which allows remote authenticated users to conduct cross-site scripting (XSS) attacks via HTML input. - Allowing users to perform certain actions via 'HTTP requests' without performing any validity checks to verify the requests. This can be exploited to delete certain quiz reports by tricking a user into visiting a specially crafted site. Vulnerability Impact: Successful exploitation will allow attackers to execute arbitrary HTML and script code in a user's browser session in the context of an affected site and to gain knowledge of sensitive information or to conduct cross-site request forgery attacks. Affected Software/OS: Moodle version 1.8.x prior to 1.8.13 Moodle version 1.9.x prior to 1.9.9 Solution: Upgrade to Moodle version 1.8.13 or 1.9.9 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-2229 40248 http://secunia.com/advisories/40248 40352 http://secunia.com/advisories/40352 ADV-2010-1530 http://www.vupen.com/english/advisories/2010/1530 ADV-2010-1571 http://www.vupen.com/english/advisories/2010/1571 FEDORA-2010-10286 http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.html FEDORA-2010-10291 http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.html FEDORA-2010-10321 http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.html SUSE-SR:2010:014 http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html [oss-security] 20100621 Re: CVE request: moodle 1.9.9/1.8.13 multiple vulnerabilities http://www.openwall.com/lists/oss-security/2010/06/21/2 http://cvs.moodle.org/moodle/blog/lib.php?r1=1.62.2.9&r2=1.62.2.10 http://cvs.moodle.org/moodle/blog/lib.php?r1=1.80.2.20&r2=1.80.2.21 http://docs.moodle.org/en/Moodle_1.8.13_release_notes http://docs.moodle.org/en/Moodle_1.9.9_release_notes http://moodle.org/mod/forum/discuss.php?d=152367 http://tracker.moodle.org/browse/MDL-22631 https://bugzilla.redhat.com/show_bug.cgi?id=605809 Common Vulnerability Exposure (CVE) ID: CVE-2010-2228 http://moodle.org/mod/forum/discuss.php?d=152366 http://tracker.moodle.org/browse/MDL-22040 Common Vulnerability Exposure (CVE) ID: CVE-2010-2231 http://cvs.moodle.org/moodle/mod/quiz/report/overview/report.php?r1=1.98.2.50&r2=1.98.2.51 http://moodle.org/mod/forum/discuss.php?d=152369 http://tracker.moodle.org/browse/MDL-21688 Common Vulnerability Exposure (CVE) ID: CVE-2010-2230 http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115 http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.171&r2=1.970.2.172 http://moodle.org/mod/forum/discuss.php?d=152368 http://tracker.moodle.org/browse/MDL-22042
Copyright	Copyright (C) 2010 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.