The MoodleQuickForm
class in the Forms Library in lib/formslib.php
in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant
operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields.
git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
git.moodle.org/gw?p=moodle.git;a=commit;h=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
moodle.org/mod/forum/discuss.php?d=188313
bugzilla.redhat.com/show_bug.cgi?id=747444
github.com/moodle/moodle
github.com/moodle/moodle/commit/1f52e72526c305989eadc702b5299edb2a50ac3c
github.com/moodle/moodle/commit/2a44c5192c875c4f4b4e813d7227b19d8fda86ba
github.com/moodle/moodle/commit/a6f18c98f43b6fc6b8b7c4e96af41cb4a626e1b8
github.com/moodle/moodle/commit/f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
nvd.nist.gov/vuln/detail/CVE-2011-4301