Executive Summary
Summary | |
---|---|
Title | New moodle packages fix several vulnerabilities |
Informations | |||
---|---|---|---|
Name | DSA-1691 | First vendor Publication | 2008-12-22 |
Vendor | Debian | Last vendor Modification | 2008-12-22 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276). Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023). Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755). SQL injection issue in the hotpot module (MSA-08-0010). An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502). For the stable distribution (etch), these problems have been fixed in version 1.6.3-2+etch1. For the unstable distribution (sid), these problems have been fixed in version 1.8.2.dfsg-2. We recommend that you upgrade your moodle (1.6.3-2+etch1) package. |
Original Source
Url : http://www.debian.org/security/2008/dsa-1691 |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-6 | Argument Injection |
CAPEC-15 | Command Delimiters |
CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
CAPEC-88 | OS Command Injection |
CAPEC-108 | Command Line Execution through SQL Injection |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
22 % | CWE-264 | Permissions, Privileges, and Access Controls |
11 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
11 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
11 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
11 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17657 | |||
Oval ID: | oval:org.mitre.oval:def:17657 | ||
Title: | USN-658-1 -- moodle vulnerability | ||
Description: | Lukasz Pilorz discovered that the HTML filtering used in Moodle was not strict enough. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-658-1 CVE-2008-1502 | Version: | 7 |
Platform(s): | Ubuntu 7.10 Ubuntu 8.04 | Product(s): | moodle |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20060 | |||
Oval ID: | oval:org.mitre.oval:def:20060 | ||
Title: | DSA-1691-1 moodle - several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1691-1 CVE-2007-3555 CVE-2008-1502 CVE-2008-3325 CVE-2008-3326 CVE-2008-4796 CVE-2008-4810 CVE-2008-4811 CVE-2008-5432 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moodle |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:7939 | |||
Oval ID: | oval:org.mitre.oval:def:7939 | ||
Title: | DSA-1691 moodle -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution. Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276). Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023). Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755). SQL injection issue in the hotpot module (MSA-08-0010). An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502). | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1691 CVE-2007-3555 CVE-2008-1502 CVE-2008-3325 CVE-2008-3326 CVE-2008-4796 CVE-2008-4810 CVE-2008-4811 CVE-2008-5432 | Version: | 3 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | moodle |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-03-09 | Name : Gentoo Security Advisory GLSA 201006-13 (smarty) File : nvt/glsa_201006_13.nasl |
2010-08-21 | Name : Debian Security Advisory DSA 1919-2 (smarty) File : nvt/deb_1919_2.nasl |
2009-12-14 | Name : Fedora Core 10 FEDORA-2009-13040 (moodle) File : nvt/fcore_2009_13040.nasl |
2009-10-27 | Name : Debian Security Advisory DSA 1919-1 (smarty) File : nvt/deb_1919_1.nasl |
2009-10-19 | Name : Mandrake Security Advisory MDVSA-2009:265 (egroupware) File : nvt/mdksa_2009_265.nasl |
2009-09-02 | Name : Debian Security Advisory DSA 1871-1 (wordpress) File : nvt/deb_1871_1.nasl |
2009-09-02 | Name : Debian Security Advisory DSA 1871-2 (wordpress) File : nvt/deb_1871_2.nasl |
2009-06-30 | Name : Ubuntu USN-791-1 (moodle) File : nvt/ubuntu_791_1.nasl |
2009-06-05 | Name : Ubuntu USN-723-1 (git-core) File : nvt/ubuntu_723_1.nasl |
2009-06-05 | Name : Ubuntu USN-698-1 (nagios) File : nvt/ubuntu_698_1.nasl |
2009-04-06 | Name : Fedora Core 10 FEDORA-2009-3280 (moodle) File : nvt/fcore_2009_3280.nasl |
2009-04-06 | Name : Fedora Core 9 FEDORA-2009-3283 (moodle) File : nvt/fcore_2009_3283.nasl |
2009-03-23 | Name : Ubuntu Update for moodle vulnerability USN-658-1 File : nvt/gb_ubuntu_USN_658_1.nasl |
2009-03-02 | Name : Mandrake Security Advisory MDVSA-2009:052 (php-smarty) File : nvt/mdksa_2009_052.nasl |
2009-02-18 | Name : Fedora Core 10 FEDORA-2009-1699 (moodle) File : nvt/fcore_2009_1699.nasl |
2009-02-17 | Name : Fedora Update for moodle FEDORA-2008-9502 File : nvt/gb_fedora_2008_9502_moodle_fc8.nasl |
2009-02-17 | Name : Fedora Update for moodle FEDORA-2008-9903 File : nvt/gb_fedora_2008_9903_moodle_fc10.nasl |
2009-02-17 | Name : Fedora Update for moodle FEDORA-2008-9508 File : nvt/gb_fedora_2008_9508_moodle_fc9.nasl |
2009-02-17 | Name : Fedora Update for php-Smarty FEDORA-2008-9420 File : nvt/gb_fedora_2008_9420_php-Smarty_fc9.nasl |
2009-02-17 | Name : Fedora Update for php-Smarty FEDORA-2008-9401 File : nvt/gb_fedora_2008_9401_php-Smarty_fc8.nasl |
2009-02-17 | Name : Fedora Update for wordpress FEDORA-2008-9304 File : nvt/gb_fedora_2008_9304_wordpress_fc8.nasl |
2009-02-17 | Name : Fedora Update for wordpress FEDORA-2008-9257 File : nvt/gb_fedora_2008_9257_wordpress_fc9.nasl |
2009-02-17 | Name : Fedora Update for moodle FEDORA-2008-6226 File : nvt/gb_fedora_2008_6226_moodle_fc8.nasl |
2009-02-16 | Name : Fedora Update for php-Smarty FEDORA-2008-10409 File : nvt/gb_fedora_2008_10409_php-Smarty_fc10.nasl |
2009-02-13 | Name : Fedora Core 9 FEDORA-2009-1641 (moodle) File : nvt/fcore_2009_1641.nasl |
2009-02-13 | Name : Fedora Update for moodle FEDORA-2008-11577 File : nvt/gb_fedora_2008_11577_moodle_fc9.nasl |
2009-02-13 | Name : Fedora Update for moodle FEDORA-2008-11550 File : nvt/gb_fedora_2008_11550_moodle_fc10.nasl |
2009-02-02 | Name : SuSE Security Summary SUSE-SR:2009:003 File : nvt/suse_sr_2009_003.nasl |
2009-01-26 | Name : Fedora Core 10 FEDORA-2009-0819 (moodle) File : nvt/fcore_2009_0819.nasl |
2009-01-26 | Name : Fedora Core 9 FEDORA-2009-0814 (moodle) File : nvt/fcore_2009_0814.nasl |
2008-12-29 | Name : Ubuntu USN-698-2 (nagios3) File : nvt/ubuntu_698_2.nasl |
2008-12-29 | Name : Ubuntu USN-699-1 (blender) File : nvt/ubuntu_699_1.nasl |
2008-12-29 | Name : Debian Security Advisory DSA 1691-1 (moodle) File : nvt/deb_1691_1.nasl |
2008-11-01 | Name : FreeBSD Ports: wordpress, de-wordpress, wordpress-mu File : nvt/freebsd_wordpress8.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200805-04 (egroupware) File : nvt/glsa_200805_04.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
52467 | HotPot Module for Moodle report.php hotpot_delete_selected_attempts Function ... |
52465 | Moodle User Editing Interface Unspecified Remote Privilege Escalation |
50627 | Moodle Wiki Page Names Unspecified XSS |
49943 | Smarty libs/Smarty_Compiler.class.php _expand_quoted_text() Function Arbitrar... |
49261 | Snoopy _httpsrequest() Function Arbitrary Shell Command Injection |
47128 | Moodle Edit Profile Page CSRF |
47127 | Moodle blog/edit.php etitle Parameter XSS |
43677 | KSES class.kses.inc.php _bad_protocol_once() Function HTML Filter Bypass |
36366 | Moodle index.php search Parameter XSS Moodle contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'search' variables upon submission to the 'index.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-10-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2017-899.nasl - Type : ACT_GATHER_INFO |
2017-02-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201702-26.nasl - Type : ACT_GATHER_INFO |
2010-06-03 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201006-13.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1871.nasl - Type : ACT_GATHER_INFO |
2010-02-24 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1919.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_moodle-090119.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_moodle-080801.nasl - Type : ACT_GATHER_INFO |
2009-06-25 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-791-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-658-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9903.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-052.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10409.nasl - Type : ACT_GATHER_INFO |
2009-01-22 | Name : The remote openSUSE host is missing a security update. File : suse_moodle-5938.nasl - Type : ACT_GATHER_INFO |
2008-12-22 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1691.nasl - Type : ACT_GATHER_INFO |
2008-11-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9508.nasl - Type : ACT_GATHER_INFO |
2008-11-09 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9502.nasl - Type : ACT_GATHER_INFO |
2008-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9420.nasl - Type : ACT_GATHER_INFO |
2008-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9401.nasl - Type : ACT_GATHER_INFO |
2008-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9304.nasl - Type : ACT_GATHER_INFO |
2008-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2008-9257.nasl - Type : ACT_GATHER_INFO |
2008-10-27 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_3a4a3e9ca1fe11dd81be001c2514716c.nasl - Type : ACT_GATHER_INFO |
2008-08-07 | Name : The remote openSUSE host is missing a security update. File : suse_moodle-5487.nasl - Type : ACT_GATHER_INFO |
2008-08-07 | Name : The remote openSUSE host is missing a security update. File : suse_moodle-5488.nasl - Type : ACT_GATHER_INFO |
2008-07-16 | Name : The remote openSUSE host is missing a security update. File : suse_moodle-5439.nasl - Type : ACT_GATHER_INFO |
2008-07-10 | Name : The remote Fedora host is missing a security update. File : fedora_2008-6226.nasl - Type : ACT_GATHER_INFO |
2008-05-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200805-04.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:28:05 |
|