Vulnerability-Lookup

CVE-2020-25702 (GCVE-0-2020-25702)

Vulnerability from cvelistv5 – Published: 2020-11-19 16:17 – Updated: 2024-08-04 15:40

Summary

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

Severity ?

No CVSS data available.

CWE

CWE-79

Assigner

redhat

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=1895437	x_refsource_MISC
	https://moodle.org/mod/forum/discuss.php?d=413940	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	n/a	moodle	Affected: Fixed in 3.9.3, Fixed in 3.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:40:36.586Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
          },
          {
            "name": "FEDORA-2020-304aa2c365",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
          },
          {
            "name": "FEDORA-2020-db73e37548",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "moodle",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in 3.9.3, Fixed in 3.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-28T03:05:37",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
        },
        {
          "name": "FEDORA-2020-304aa2c365",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
        },
        {
          "name": "FEDORA-2020-db73e37548",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-25702",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "moodle",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Fixed in 3.9.3, Fixed in 3.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
            },
            {
              "name": "https://moodle.org/mod/forum/discuss.php?d=413940",
              "refsource": "MISC",
              "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
            },
            {
              "name": "FEDORA-2020-304aa2c365",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
            },
            {
              "name": "FEDORA-2020-db73e37548",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-25702",
    "datePublished": "2020-11-19T16:17:03",
    "dateReserved": "2020-09-16T00:00:00",
    "dateUpdated": "2024-08-04T15:40:36.586Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.9\", \"versionEndExcluding\": \"3.9.3\", \"matchCriteriaId\": \"8F2732E7-84A3-4A96-B9A6-7177120967E2\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.\"}, {\"lang\": \"es\", \"value\": \"En Moodle, era posible incluir JavaScript, cuando se cambia el nombre de los elementos del banco de contenido.\u0026#xa0;Versiones afectadas: 3.9 a 3.9.2.\u0026#xa0;Esto est\\u00e1 corregido en moodle versiones 3.9.3 y 3.10\"}]",
      "id": "CVE-2020-25702",
      "lastModified": "2024-11-21T05:18:31.227",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-11-19T17:15:12.967",
      "references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1895437\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://moodle.org/mod/forum/discuss.php?d=413940\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1895437\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://moodle.org/mod/forum/discuss.php?d=413940\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-25702\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-11-19T17:15:12.967\",\"lastModified\":\"2024-11-21T05:18:31.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.\"},{\"lang\":\"es\",\"value\":\"En Moodle, era posible incluir JavaScript, cuando se cambia el nombre de los elementos del banco de contenido.\u0026#xa0;Versiones afectadas: 3.9 a 3.9.2.\u0026#xa0;Esto est\u00e1 corregido en moodle versiones 3.9.3 y 3.10\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9\",\"versionEndExcluding\":\"3.9.3\",\"matchCriteriaId\":\"8F2732E7-84A3-4A96-B9A6-7177120967E2\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1895437\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://moodle.org/mod/forum/discuss.php?d=413940\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1895437\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://moodle.org/mod/forum/discuss.php?d=413940\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-751

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Moodle. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité, une élévation de privilèges et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Moodle	Moodle	Moodle versions 3.7.x antérieures à 3.7.8
Moodle	Moodle	Moodle versions 3.9.x antérieures à 3.9.2
Moodle	Moodle	Moodle versions 3.8.x antérieures à 3.8.5

References

Title

Publication Time

Tags

Bulletin de sécurité Moodle MSA-20-0017 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0021 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0018 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0019 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0016 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0020 du 16 novembre 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Moodle versions 3.7.x ant\u00e9rieures \u00e0 3.7.8",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.9.x ant\u00e9rieures \u00e0 3.9.2",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.8.x ant\u00e9rieures \u00e0 3.8.5",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-25699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25699"
    },
    {
      "name": "CVE-2020-25700",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25700"
    },
    {
      "name": "CVE-2020-25702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25702"
    },
    {
      "name": "CVE-2020-25701",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25701"
    },
    {
      "name": "CVE-2020-25703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25703"
    },
    {
      "name": "CVE-2020-25698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25698"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-751",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-11-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9, une \u00e9l\u00e9vation de privil\u00e8ges et une injection de code\nindirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0017 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413936"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0021 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413941"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0018 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413938"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0019 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413939"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0016 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413935"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0020 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    }
  ]
}

CERTFR-2020-AVI-751

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Moodle	Moodle	Moodle versions 3.7.x antérieures à 3.7.8
Moodle	Moodle	Moodle versions 3.9.x antérieures à 3.9.2
Moodle	Moodle	Moodle versions 3.8.x antérieures à 3.8.5

References

Title

Publication Time

Tags

Bulletin de sécurité Moodle MSA-20-0017 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0021 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0018 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0019 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0016 du 16 novembre 2020	None	vendor-advisory
Bulletin de sécurité Moodle MSA-20-0020 du 16 novembre 2020	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Moodle versions 3.7.x ant\u00e9rieures \u00e0 3.7.8",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.9.x ant\u00e9rieures \u00e0 3.9.2",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    },
    {
      "description": "Moodle versions 3.8.x ant\u00e9rieures \u00e0 3.8.5",
      "product": {
        "name": "Moodle",
        "vendor": {
          "name": "Moodle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2020-25699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25699"
    },
    {
      "name": "CVE-2020-25700",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25700"
    },
    {
      "name": "CVE-2020-25702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25702"
    },
    {
      "name": "CVE-2020-25701",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25701"
    },
    {
      "name": "CVE-2020-25703",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25703"
    },
    {
      "name": "CVE-2020-25698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25698"
    }
  ],
  "links": [],
  "reference": "CERTFR-2020-AVI-751",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2020-11-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Moodle. Elles\npermettent \u00e0 un attaquant de provoquer un contournement de la politique\nde s\u00e9curit\u00e9, une \u00e9l\u00e9vation de privil\u00e8ges et une injection de code\nindirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Moodle",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0017 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413936"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0021 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413941"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0018 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413938"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0019 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413939"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0016 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413935"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Moodle MSA-20-0020 du 16 novembre 2020",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    }
  ]
}

CNVD-2020-65139

Vulnerability from cnvd - Published: 2020-11-19

Title

Moodle跨站脚本漏洞（CNVD-2020-65139）

Description

Moodle是一套免费、开源的电子学习软件平台，也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle存在跨站脚本漏洞，该漏洞源于在重新命名内容库项时可以包含JavaScript。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Moodle跨站脚本漏洞（CNVD-2020-65139）的补丁

Patch Description

Moodle是一套免费、开源的电子学习软件平台，也称课程管理系统、学习管理系统或虚拟学习环境。 Moodle存在跨站脚本漏洞，该漏洞源于在重新命名内容库项时可以包含JavaScript。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://moodle.org/mod/forum/discuss.php?d=413940

Reference

https://www.auscert.org.au/bulletins/ESB-2020.4071/

Impacted products

Name
['moodle Moodle >=3.9，<=3.9.2', 'moodle Moodle >=3.8，<=3.8.5', 'moodle Moodle >=3.7，<=3.7.8', 'moodle Moodle >=3.5，<=3.5.14']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-25702",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-25702"
    }
  },
  "description": "Moodle\u662f\u4e00\u5957\u514d\u8d39\u3001\u5f00\u6e90\u7684\u7535\u5b50\u5b66\u4e60\u8f6f\u4ef6\u5e73\u53f0\uff0c\u4e5f\u79f0\u8bfe\u7a0b\u7ba1\u7406\u7cfb\u7edf\u3001\u5b66\u4e60\u7ba1\u7406\u7cfb\u7edf\u6216\u865a\u62df\u5b66\u4e60\u73af\u5883\u3002\n\nMoodle\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u91cd\u65b0\u547d\u540d\u5185\u5bb9\u5e93\u9879\u65f6\u53ef\u4ee5\u5305\u542bJavaScript\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://moodle.org/mod/forum/discuss.php?d=413940",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-65139",
  "openTime": "2020-11-19",
  "patchDescription": "Moodle\u662f\u4e00\u5957\u514d\u8d39\u3001\u5f00\u6e90\u7684\u7535\u5b50\u5b66\u4e60\u8f6f\u4ef6\u5e73\u53f0\uff0c\u4e5f\u79f0\u8bfe\u7a0b\u7ba1\u7406\u7cfb\u7edf\u3001\u5b66\u4e60\u7ba1\u7406\u7cfb\u7edf\u6216\u865a\u62df\u5b66\u4e60\u73af\u5883\u3002\r\n\r\nMoodle\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u91cd\u65b0\u547d\u540d\u5185\u5bb9\u5e93\u9879\u65f6\u53ef\u4ee5\u5305\u542bJavaScript\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Moodle\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-65139\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "moodle Moodle \u003e=3.9\uff0c\u003c=3.9.2",
      "moodle Moodle \u003e=3.8\uff0c\u003c=3.8.5",
      "moodle Moodle \u003e=3.7\uff0c\u003c=3.7.8",
      "moodle Moodle \u003e=3.5\uff0c\u003c=3.5.14"
    ]
  },
  "referenceLink": "https://www.auscert.org.au/bulletins/ESB-2020.4071/",
  "serverity": "\u4e2d",
  "submitTime": "2020-11-18",
  "title": "Moodle\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-65139\uff09"
}

GSD-2020-25702

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

Aliases

CVE-2020-25702

Aliases

CVE-2020-25702

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-25702",
    "description": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.",
    "id": "GSD-2020-25702"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-25702"
      ],
      "details": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.",
      "id": "GSD-2020-25702",
      "modified": "2023-12-13T01:21:57.080283Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2020-25702",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "moodle",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "Fixed in 3.9.3, Fixed in 3.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-79"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
          },
          {
            "name": "https://moodle.org/mod/forum/discuss.php?d=413940",
            "refsource": "MISC",
            "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
          },
          {
            "name": "FEDORA-2020-304aa2c365",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
          },
          {
            "name": "FEDORA-2020-db73e37548",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.9,\u003c3.9.3",
          "affected_versions": "All versions starting from 3.9 before 3.9.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2020-12-03",
          "description": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: to This is fixed in moodle ",
          "fixed_versions": [
            "3.9.3"
          ],
          "identifier": "CVE-2020-25702",
          "identifiers": [
            "CVE-2020-25702"
          ],
          "not_impacted": "All versions before 3.9, all versions starting from 3.9.3",
          "package_slug": "packagist/moodle/moodle",
          "pubdate": "2020-11-19",
          "solution": "Upgrade to version 3.9.3 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-25702",
            "https://bugzilla.redhat.com/show_bug.cgi?id=1895437",
            "https://moodle.org/mod/forum/discuss.php?d=413940"
          ],
          "uuid": "21d89934-dc98-4365-8314-f308014d3009"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.9.3",
                "versionStartIncluding": "3.9",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-25702"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://moodle.org/mod/forum/discuss.php?d=413940",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Vendor Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
            },
            {
              "name": "FEDORA-2020-304aa2c365",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
            },
            {
              "name": "FEDORA-2020-db73e37548",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2020-12-03T18:31Z",
      "publishedDate": "2020-11-19T17:15Z"
    }
  }
}

bit-moodle-2020-25702

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:11

Modified

2025-04-03 14:40

Summary

Details

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "moodle",
        "purl": "pkg:bitnami/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25702"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.",
  "id": "BIT-moodle-2020-25702",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:11:28.317Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25702"
    }
  ],
  "schema_version": "1.5.0"
}

GHSA-PGCP-M69H-P2GR

Vulnerability from github – Published: 2021-03-29 20:43 – Updated: 2021-03-24 23:15

Summary

Cross-site Scripting (XSS) in moodle

Details

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

Severity ?

6.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "moodle/moodle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-25702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-24T23:15:17Z",
    "nvd_published_at": "2020-11-19T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.",
  "id": "GHSA-pgcp-m69h-p2gr",
  "modified": "2021-03-24T23:15:17Z",
  "published": "2021-03-29T20:43:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/moodle/moodle/commit/66be08216e647532b295a9132070d2435ecd7ad9"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting (XSS) in moodle"
}

FKIE_CVE-2020-25702

Vulnerability from fkie_nvd - Published: 2020-11-19 17:15 - Updated: 2024-11-21 05:18

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10.

References

URL	Tags
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1895437	Issue Tracking, Vendor Advisory
secalert@redhat.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
secalert@redhat.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
secalert@redhat.com	https://moodle.org/mod/forum/discuss.php?d=413940	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1895437	Issue Tracking, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
af854a3a-2127-422b-91ae-364da2661108	https://moodle.org/mod/forum/discuss.php?d=413940	Vendor Advisory

Impacted products

Vendor	Product	Version
moodle	moodle	*
fedoraproject	fedora	32
fedoraproject	fedora	33

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F2732E7-84A3-4A96-B9A6-7177120967E2",
              "versionEndExcluding": "3.9.3",
              "versionStartIncluding": "3.9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*",
              "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
              "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Moodle, it was possible to include JavaScript when re-naming content bank items. Versions affected: 3.9 to 3.9.2. This is fixed in moodle 3.9.3 and 3.10."
    },
    {
      "lang": "es",
      "value": "En Moodle, era posible incluir JavaScript, cuando se cambia el nombre de los elementos del banco de contenido.\u0026#xa0;Versiones afectadas: 3.9 a 3.9.2.\u0026#xa0;Esto est\u00e1 corregido en moodle versiones 3.9.3 y 3.10"
    }
  ],
  "id": "CVE-2020-25702",
  "lastModified": "2024-11-21T05:18:31.227",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-11-19T17:15:12.967",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Vendor Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1895437"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://moodle.org/mod/forum/discuss.php?d=413940"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-25702 (GCVE-0-2020-25702)

CERTFR-2020-AVI-751

Solution

CERTFR-2020-AVI-751

Solution

CNVD-2020-65139

GSD-2020-25702

bit-moodle-2020-25702

Vulnerability from bitnami_vulndb

GHSA-PGCP-M69H-P2GR

FKIE_CVE-2020-25702

Tags

Sightings

Nomenclature