Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-7835)

Description

webservice/upload.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not ensure that a file upload is for a private or draft area, which allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

Remediation

References

Related Vulnerabilities

Atlassian Confluence Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-29450)

Joomla! Core Security Bypass (2.5.0 - 3.9.15)

WordPress Plugin BuddyPress Members Only Cross-Site Scripting (1.8.3)

Lodash CVE-2018-3721 Vulnerability (CVE-2018-3721)

SharePoint Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-0974)

Severity

Low

Classification

CVE-2014-7835 CWE-707

Tags

Missing Update Known Vulnerabilities