3.5

CVE-2014-3544

Exploit
Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MoodleMoodle Version2.4.0
MoodleMoodle Version2.4.1
MoodleMoodle Version2.4.2
MoodleMoodle Version2.4.3
MoodleMoodle Version2.4.4
MoodleMoodle Version2.4.5
MoodleMoodle Version2.4.6
MoodleMoodle Version2.4.7
MoodleMoodle Version2.4.8
MoodleMoodle Version2.4.9
MoodleMoodle Version2.4.10
MoodleMoodle Version <= 2.3.11
MoodleMoodle Version2.3.0
MoodleMoodle Version2.3.1
MoodleMoodle Version2.3.2
MoodleMoodle Version2.3.3
MoodleMoodle Version2.3.4
MoodleMoodle Version2.3.5
MoodleMoodle Version2.3.6
MoodleMoodle Version2.3.7
MoodleMoodle Version2.3.8
MoodleMoodle Version2.3.9
MoodleMoodle Version2.3.10
MoodleMoodle Version2.6.0
MoodleMoodle Version2.6.1
MoodleMoodle Version2.6.2
MoodleMoodle Version2.6.3
MoodleMoodle Version2.7.0
MoodleMoodle Version2.5.0
MoodleMoodle Version2.5.1
MoodleMoodle Version2.5.2
MoodleMoodle Version2.5.3
MoodleMoodle Version2.5.4
MoodleMoodle Version2.5.5
MoodleMoodle Version2.5.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.67% 0.906
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://openwall.com/lists/oss-security/2014/07/21/1
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683
Patch
http://osandamalith.wordpress.com/2014/07/25/moodle-2-7-persistent-xss/
Exploit
http://osvdb.org/show/osvdb/109337
http://packetstormsecurity.com/files/127624/Moodle-2.7-Cross-Site-Scripting.html
Exploit
http://www.exploit-db.com/exploits/34169
http://www.securityfocus.com/bid/68756
https://github.com/moodle/moodle/commit/ce5a785b0962c3c94c7a7b0d36176482d21db95d
Patch
https://moodle.org/mod/forum/discuss.php?d=264265
Vendor Advisory