Vulnerability Description
lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | <= 2.4.11 |
Related Weaknesses (CWE)
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966Patch
- http://openwall.com/lists/oss-security/2014/11/17/11
- http://www.securityfocus.com/bid/71133
- http://www.securitytracker.com/id/1031215
- https://moodle.org/mod/forum/discuss.php?d=275146Vendor Advisory
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966Patch
- http://openwall.com/lists/oss-security/2014/11/17/11
- http://www.securityfocus.com/bid/71133
- http://www.securitytracker.com/id/1031215
- https://moodle.org/mod/forum/discuss.php?d=275146Vendor Advisory
FAQ
What is CVE-2014-9059?
CVE-2014-9059 is a vulnerability with a CVSS score of 4.3 (MEDIUM). lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to condu...
How severe is CVE-2014-9059?
CVE-2014-9059 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9059?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle.