CVE-2011-4294

The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.

CVSS v2.0 5.8 MEDIUM

5.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:P

Exploitability : 8.6 / Impact : 4.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=8f9f666c902cb30ef6f519353f38c45a29fdf4a6
http://moodle.org/mod/forum/discuss.php?d=182737	Vendor Advisory
http://openwall.com/lists/oss-security/2011/11/14/1

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle:1.9.1:::::::*
	cpe:2.3:a:moodle:moodle:1.9.2:::::::*
	cpe:2.3:a:moodle:moodle:1.9.3:::::::*
	cpe:2.3:a:moodle:moodle:1.9.4:::::::*
	cpe:2.3:a:moodle:moodle:1.9.5:::::::*
	cpe:2.3:a:moodle:moodle:1.9.6:::::::*
	cpe:2.3:a:moodle:moodle:1.9.7:::::::*
	cpe:2.3:a:moodle:moodle:1.9.8:::::::*
	cpe:2.3:a:moodle:moodle:1.9.9:::::::*
	cpe:2.3:a:moodle:moodle:1.9.10:::::::*
	cpe:2.3:a:moodle:moodle:1.9.11:::::::*
	cpe:2.3:a:moodle:moodle:1.9.12:::::::*
	cpe:2.3:a:moodle:moodle:2.0.0:::::::*
	cpe:2.3:a:moodle:moodle:2.0.1:::::::*
	cpe:2.3:a:moodle:moodle:2.0.2:::::::*
	cpe:2.3:a:moodle:moodle:2.0.3:::::::*
	cpe:2.3:a:moodle:moodle:2.1.0:::::::*

History

No history.

Information

Published : 2012-07-16 10:28

Updated : 2024-02-04 18:16

NVD link : CVE-2011-4294

Mitre link : CVE-2011-4294

CVE.ORG link : CVE-2011-4294

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2011-4294", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2012-07-16T10:28:37.067", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=8f9f666c902cb30ef6f519353f38c45a29fdf4a6", "source": "secalert@redhat.com"}, {"url": "http://moodle.org/mod/forum/discuss.php?d=182737", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://openwall.com/lists/oss-security/2011/11/14/1", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors."}, {"lang": "es", "value": "La funcionalidad de mensajes de error en Moodle v1.9.x anterior a v1.9.13, v2.0.x anterior a v2.0.4, v2.1.1 y v2.1.x no garantiza que un enlace de continuidad se refiera a una direcci\u00f3n http o https para la instancia local de Moodle, lo que podr\u00eda permitir a un atacante enga\u00f1ar a los usuarios a visitar sitios web a trav\u00e9s de arbitrarias vectores no especificados."}], "lastModified": "2023-11-07T02:09:20.620", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24F2602B-8ED3-4026-A9A4-31BE8BDC7724"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7F24649-B67F-4809-9F54-7B623AEF5A4A"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6B81655E-C3B5-4115-A4C4-B7AC2FCDAB7F"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED9C3840-66BE-47EC-9F0C-E9D2171FF0B2"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBD062EB-1B1F-4DC8-A4F9-C2EC7D401E9D"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "291F73E9-1059-4E7F-860F-0DF2A35AA456"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0EB5859E-0996-46B5-BB44-34BD6EACBCF5"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F87F6707-99AB-478A-909D-1D87298D5514"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4BCE8B26-58BB-471C-B291-E6AE22B96C5B"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "768CE5AF-955B-4148-998A-A46BBDBA618B"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4283440F-9B21-4CE9-81FF-79DF3DEDCEE7"}, {"criteria": "cpe:2.3:a:moodle:moodle:1.9.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A989FADA-89C3-472B-86BF-0630D1CBBCA8"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD248A1D-CACC-4E76-925A-078B736442AE"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B8A0403-0869-495F-B7C0-13A387549C7A"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39791F43-CF89-485B-AA8B-634C282BB025"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "428E4846-8C9E-4592-8437-88FCDCED704D"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "18C6F348-DAE9-4440-8B3A-8D92ADC6606F"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}