CVE-2012-6112: PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests
(updated )
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.
References
- git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
- openwall.com/lists/oss-security/2013/01/21/1
- github.com/advisories/GHSA-fx5h-3786-h2w6
- github.com/moodle/moodle/commit/6fac8f7f04c9fe7f8bbb54a9c00ec5f9ea4f09e0
- github.com/moodle/moodle/commit/9803d8fc3ce08c8f8b88ad3a95d9a7c97678a3e3
- github.com/moodle/moodle/commit/a3243760c243ddad76e91840134009c3681cb16a
- github.com/moodle/moodle/commit/f938b1a89b8f381129120a37915d1b345333b3fb
- github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
- moodle.org/mod/forum/discuss.php?d=220157
- nvd.nist.gov/vuln/detail/CVE-2012-6112
- web.archive.org/web/20121015010345/http://www.tinymce.com/develop/changelog/?type=phpspell
- web.archive.org/web/20121129021911/http://www.tinymce.com/forum/viewtopic.php?id=30036
Code Behaviors & Features
Detect and mitigate CVE-2012-6112 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →