CVE-2013-1833

Moodle 2.0.0-2.1.10, 2.2.0-2.2.7, 2.3.0-2.3.4, 2.4.0-2.4.1 - Authenticated Cross-Site Scripting via File Picker Filename

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html

Vendor Advisory x_refsource_confirm

https://moodle.org/mod/forum/discuss.php?d=225344

Patch x_refsource_confirm

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html

Mailing List mailing-list x_refsource_mlist

http://openwall.com/lists/oss-security/2013/03/25/2

Scores

EPSS 0.0021

EPSS Percentile 43.0%

Details

CWE

CWE-79

Status published

Products (37)

moodle/moodle 2.0.0

moodle/moodle 2.0.1

moodle/moodle 2.0.2

moodle/moodle 2.0.3

moodle/moodle 2.0.4

moodle/moodle 2.0.5

moodle/moodle 2.0.6

moodle/moodle 2.0.7

moodle/moodle 2.0.8

moodle/moodle 2.0.9

... and 27 more

Published Mar 25, 2013

Tracked Since Feb 18, 2026