Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Moodle < 1.8.12 / 1.9.x < 1.9.8 Multiple Vulnerabilities

High

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

The version of Moodle installed on the remote host is potentially vulnerable to multiple flaws.

- Multiple unspecified cross-site scripting vulnerabilities in the KSES text cleaning library. (MSA-10-0001)

- A cross-site scripting vulnerability exists in the PHP CAS client library. Note that this only affects Moodle installations that use CAS authentication. (MSA-10-0002)

- An issue exists in the course profile page which allows ordinary users to find out the names of other users. (MSA-10-0003)

- The restoring of courses sometimes results in creation of new roles. (MSA-10-0004)

- A SQL injection vulnerability exists in several forms. (MSA-10-0005)

- Data passed to the 'add_to_log()' function in the wiki module is not properly sanitized which could allow SQL injection attacks. (MSA-10-0006)

- A problem exists in the handling of user submitted data in global search forms. (MSA-10-0007)

- A persistent cross-site scripting issue exists when an admin uses the Login-as feature. (MSA-10-0008)

- The 'Regenerate session id during login' setting is not enabled by default. (MSA-10-0009)

Solution

Upgrade to Moodle version 1.8.12, 1.9.8, or later.