GoogleOSV:GHSA-J6C3-3C4W-QV8PMoodle cross-site scripting (XSS) vulnerabilities
Multiple cross-site scripting (XSS) vulnerabilities in Flowplayer Flash before 3.2.17, as used in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2, allow remote attackers to inject arbitrary web script or HTML by (1) providing a crafted playerId or (2) referencing an external domain, a related issue to CVE-2013-7342.
| CPE | Name | Operator | Version |
|---|---|---|---|
| moodle/moodle | eq | 2.5.1 | |
| typo3/cms | eq | 7.0.0 | |
| typo3/cms | eq | 7.0.1 | |
| typo3/cms | eq | 6.2.1 | |
| typo3/cms | eq | 6.2.0 | |
| moodle/moodle | eq | 2.4.0 | |
| typo3/cms | eq | 6.2.5 | |
| moodle/moodle | eq | 2.4.3 | |
| typo3/cms | eq | 6.2.11 | |
| moodle/moodle | eq | 2.3.11 |
References
flash.flowplayer.org/documentation/version-history.html
git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344
openwall.com/lists/oss-security/2014/03/17/1
github.com/flowplayer/flash/issues/121
github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2013-7341.yaml
github.com/moodle/moodle
github.com/moodle/moodle/commit/98d135fea3006334093efa822205d4b2c3fd8ff9
github.com/moodle/moodle/commit/9f2967e301d123d11625f3b6948e1ee538086791
github.com/moodle/moodle/commit/c3cd5e1db9de4f1a634492d99990534e30518066
github.com/moodle/moodle/commit/d65634044ebaa738f55bdec521beb42844d6916a
moodle.org/mod/forum/discuss.php?d=256420
nvd.nist.gov/vuln/detail/CVE-2013-7341
typo3.org/security/advisory/typo3-core-sa-2015-007
Related
