Lucene search

K

GoogleOSV:GHSA-CRCQ-PW8H-9XWF

HistoryMay 13, 2022 - 1:12 a.m.

Moodle does not provide charset information in HTTP headers

2022-05-1301:12:43

Google

osv.dev

7

moodle

http headers

charset

cross-site scripting

xss

remote attackers

ajax scripts

AI Score

5.8

Confidence

High

EPSS

0.003

Percentile

71.9%

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966

www.securitytracker.com/id/1031215

github.com/moodle/moodle

github.com/moodle/moodle/commit/0a0145c5e8041aadeff303a9f9984c86706b4e42

github.com/moodle/moodle/commit/293e4bbcb71f0a801c2539ea051c58688314b23a

github.com/moodle/moodle/commit/3c98b7a5ad1bb596a738e550fc3bf966d6415fe0

github.com/moodle/moodle/commit/ac6e453d11024bf6ad99ada1bfc641c6b91ebed6

moodle.org/mod/forum/discuss.php?d=275146

nvd.nist.gov/vuln/detail/CVE-2014-9059

web.archive.org/web/20150914064838/www.securitytracker.com/id/1031215

web.archive.org/web/20200229043651/www.securityfocus.com/bid/71133

AI Score

5.8

Confidence

High

EPSS

0.003

Percentile

71.9%

Related for OSV:GHSA-CRCQ-PW8H-9XWF

nvd1 ubuntucve1 cvelist1 prion1 cve1 github1 nessus1