Description
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.
References (6)
Core 6
Core References
Patch x_refsource_confirm
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
Patch x_refsource_confirm
https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
Vendor Advisory x_refsource_confirm
http://www.tinymce.com/forum/viewtopic.php?id=30036
Various Sources x_refsource_confirm
http://www.tinymce.com/develop/changelog/?type=phpspell
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2013/01/21/1
Various Sources x_refsource_confirm
https://moodle.org/mod/forum/discuss.php?d=220157
Scores
EPSS
0.0060
EPSS Percentile
69.5%
Details
CWE
CWE-264
Status
published
Products (28)
moodle/moodle
2.1.0
moodle/moodle
2.1.1
moodle/moodle
2.1.2
moodle/moodle
2.1.3
moodle/moodle
2.1.4
moodle/moodle
2.1.5
moodle/moodle
2.1.6
moodle/moodle
2.1.7
moodle/moodle
2.1.8
moodle/moodle
2.1.9
... and 18 more
Published
Jan 27, 2013
Tracked Since
Feb 18, 2026