Description

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

Remediation

References

CVE-2014-9059

Related Vulnerabilities

WordPress Plugin Price Commander for WooCommerce Security Bypass (1.2.2)

WordPress Plugin Supafolio Multiple Unspecified Vulnerabilities (2.1.0)

WordPress Plugin Wp custom slider SQL Injection (1.6.2)

Moodle Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2016-9186)

Apache Tomcat Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2013-4444)

Severity

Medium

Classification

CVE-2014-9059 CWE-707

Tags

Missing Update Known Vulnerabilities