Vulnerability CVE-2013-5674
Published: 2013-09-16   Modified: 2013-09-22

Description:
badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.

See advisories in our WLB2 database:
Topic
Author
Date
Low
Moodle CMS 2.5.0-1 Cross Site Scripting
Emilio Pinna
17.09.2013

Type:

CWE-89

 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Moodle -> Moodle 

 References:
https://moodle.org/mod/forum/discuss.php?d=238397
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924
Copyright 2024, cxsecurity.com

 

Back to Top