CVE-2014-9059: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
(updated )
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.
References
- git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966
- www.securitytracker.com/id/1031215
- github.com/advisories/GHSA-crcq-pw8h-9xwf
- github.com/moodle/moodle/commit/0a0145c5e8041aadeff303a9f9984c86706b4e42
- github.com/moodle/moodle/commit/293e4bbcb71f0a801c2539ea051c58688314b23a
- github.com/moodle/moodle/commit/3c98b7a5ad1bb596a738e550fc3bf966d6415fe0
- github.com/moodle/moodle/commit/ac6e453d11024bf6ad99ada1bfc641c6b91ebed6
- moodle.org/mod/forum/discuss.php?d=275146
- nvd.nist.gov/vuln/detail/CVE-2014-9059
- web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215
- web.archive.org/web/20200229043651/http://www.securityfocus.com/bid/71133
Code Behaviors & Features
Detect and mitigate CVE-2014-9059 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →