GitHub Advisory DatabaseGHSA-CRCQ-PW8H-9XWFMoodle does not provide charset information in HTTP headers
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
71.9%
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.
Affected configurations
References
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966
www.securitytracker.com/id/1031215
github.com/advisories/GHSA-crcq-pw8h-9xwf
github.com/moodle/moodle/commit/0a0145c5e8041aadeff303a9f9984c86706b4e42
github.com/moodle/moodle/commit/293e4bbcb71f0a801c2539ea051c58688314b23a
github.com/moodle/moodle/commit/3c98b7a5ad1bb596a738e550fc3bf966d6415fe0
github.com/moodle/moodle/commit/ac6e453d11024bf6ad99ada1bfc641c6b91ebed6
moodle.org/mod/forum/discuss.php?d=275146
nvd.nist.gov/vuln/detail/CVE-2014-9059
web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215
web.archive.org/web/20200229043651/www.securityfocus.com/bid/71133
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
71.9%