Moodle < 1.8.12 / 1.9.x < 1.9.8 Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 5504
SynopsisThe remote web server is hosting a web application that is vulnerable to multiple attack vectors.
DescriptionThe version of Moodle installed on the remote host is potentially vulnerable to multiple flaws.
- Multiple unspecified cross-site scripting vulnerabilities in the KSES text cleaning library. (MSA-10-0001)
- A cross-site scripting vulnerability exists in the PHP CAS client library. Note that this only affects Moodle installations that use CAS authentication. (MSA-10-0002)
- An issue exists in the course profile page which allows ordinary users to find out the names of other users. (MSA-10-0003)
- The restoring of courses sometimes results in creation of new roles. (MSA-10-0004)
- A SQL injection vulnerability exists in several forms. (MSA-10-0005)
- Data passed to the 'add_to_log()' function in the wiki module is not properly sanitized which could allow SQL injection attacks. (MSA-10-0006)
- A problem exists in the handling of user submitted data in global search forms. (MSA-10-0007)
- A persistent cross-site scripting issue exists when an admin uses the Login-as feature. (MSA-10-0008)
- The 'Regenerate session id during login' setting is not enabled by default. (MSA-10-0009)
SolutionUpgrade to Moodle version 1.8.12, 1.9.8, or later.