CVE-2012-6112

TinyMCE PHP Spellchecker < 2.0.6.1 - Server-Side Request Forgery via Control Character Injection

Title source: llm

Description

classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.

References (6)

Core 6

Core References

Patch x_refsource_confirm

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283

Patch x_refsource_confirm

https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974

View Patch ZIP pw:eip

Vendor Advisory x_refsource_confirm

http://www.tinymce.com/forum/viewtopic.php?id=30036

Various Sources x_refsource_confirm

http://www.tinymce.com/develop/changelog/?type=phpspell

Mailing List mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2013/01/21/1

Various Sources x_refsource_confirm

https://moodle.org/mod/forum/discuss.php?d=220157

Scores

EPSS 0.0229

EPSS Percentile 81.0%

Details

CWE

CWE-264

Status published

Products (28)

moodle/moodle 2.1.0

moodle/moodle 2.1.1

moodle/moodle 2.1.2

moodle/moodle 2.1.3

moodle/moodle 2.1.4

moodle/moodle 2.1.5

moodle/moodle 2.1.6

moodle/moodle 2.1.7

moodle/moodle 2.1.8

moodle/moodle 2.1.9

... and 18 more

Published Jan 27, 2013

Tracked Since Feb 18, 2026