icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Moodle < 1.8.12 / 1.9.x < 1.9.8 Multiple Vulnerabilities

High

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

The version of Moodle installed on the remote host is potentially vulnerable to multiple flaws.

- Multiple unspecified cross-site scripting vulnerabilities in the KSES text cleaning library. (MSA-10-0001)

- A cross-site scripting vulnerability exists in the PHP CAS client library. Note that this only affects Moodle installations that use CAS authentication. (MSA-10-0002)

- An issue exists in the course profile page which allows ordinary users to find out the names of other users. (MSA-10-0003)

- The restoring of courses sometimes results in creation of new roles. (MSA-10-0004)

- A SQL injection vulnerability exists in several forms. (MSA-10-0005)

- Data passed to the 'add_to_log()' function in the wiki module is not properly sanitized which could allow SQL injection attacks. (MSA-10-0006)

- A problem exists in the handling of user submitted data in global search forms. (MSA-10-0007)

- A persistent cross-site scripting issue exists when an admin uses the Login-as feature. (MSA-10-0008)

- The 'Regenerate session id during login' setting is not enabled by default. (MSA-10-0009)

Solution

Upgrade to Moodle version 1.8.12, 1.9.8, or later.