Lucene search

Veracode Vulnerability DatabaseVERACODE:4531

HistoryJul 05, 2017 - 7:41 a.m.

XML External Entity (XXE) Injection

2017-07-0507:41:40

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Moodle is susceptible to XML external entity (XXE) injection attacks. The attacks exist because mod/imscp/locallib.php does not filter the input XML files to the IMSCC course format or the IMSCP resource, thereby allowing attackers to input malicious XML files and read server-side files.

CPENameOperatorVersion
moodle/moodlele2.7.0
moodle/moodlele2.5.6
moodle/moodlele2.3.11
moodle/moodlele2.6.3
moodle/moodlele2.4.10

Name	Operator	Version
moodle/moodle	le	2.7.0
moodle/moodle	le	2.5.6
moodle/moodle	le	2.3.11
moodle/moodle	le	2.6.3
moodle/moodle	le	2.4.10

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417

openwall.com/lists/oss-security/2014/07/21/1

git.moodle.org/gw?p=moodle.git;a=commit;h=595ef4772d330a20c757635ab090acdcc9b2a2fa

moodle.org/mod/forum/discuss.php?d=264264

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:4531