Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-9059)

Description

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

Remediation

References

Related Vulnerabilities

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-4279)

WordPress Plugin Mingle Forum Multiple Cross-Site Scripting Vulnerabilities (1.0.33)

WordPress Plugin Coming Soon, Under Construction & Maintenance Mode By Dazzler Unspecified Vulnerability (1.6.8)

WordPress Plugin StreamCast-Radio Player for WordPress Cross-Site Scripting (2.1)

WordPress Plugin More from Google Cross-Site Scripting (0.0.2)

Severity

Medium

Classification

CVE-2014-9059 CWE-707

Tags

Missing Update Known Vulnerabilities