SB2012071605 - Cross-site scripting in Moodle

Description

This security bulletin contains information about 1 security vulnerability.

1) Cross-site scripting (CVE-ID: CVE-2011-4290)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in lib/weblib.php in Moodle 1.9.x before 1.9.12 when processing vectors related to URL encoding. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• http://git.moodle.org/gw?p=moodle.git;a=commit;h=5a3010310bff0b3946804a72ca2d6bc166a0028f
• http://moodle.org/mod/forum/discuss.php?d=175592
• http://openwall.com/lists/oss-security/2011/11/14/1