Vulnerability CVE-2008-3326

Vulnerability Name:

CVE-2008-3326 (CCN-43961)

Assigned:

2008-07-16

Published:

2008-07-16

Updated:

2020-12-01

Summary:

Cross-site scripting (XSS) vulnerability in blog/edit.php in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to inject arbitrary web script or HTML via the etitle parameter (blog entry title).

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.2 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-3326

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:016

Source: CCN
Type: MSA-08-0009
Persistent Cross-site Scripting (XSS) on blog entry title parameter

Source: CONFIRM
Type: UNKNOWN
http://moodle.org/mod/forum/discuss.php?d=101401

Source: CCN
Type: SA31196
Moodle Script Insertion and Cross-Site Request Forgery

Source: SECUNIA
Type: UNKNOWN
31196

Source: SECUNIA
Type: UNKNOWN
31339

Source: DEBIAN
Type: UNKNOWN
DSA-1691

Source: DEBIAN
Type: DSA-1691
moodle -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 47127
Moodle blog/edit.php etitle Parameter XSS

Source: CCN
Type: ProCheckUp: PR08-13
Persistent Cross-site Scripting (XSS) on Moodle via blog entry title

Source: MISC
Type: Exploit
http://www.procheckup.com/Vulnerability_PR08-13.php

Source: BUGTRAQ
Type: UNKNOWN
20080722 PR08-13: Persistent Cross-site Scripting (XSS) on Moodle via blog entry title

Source: BID
Type: UNKNOWN
30348

Source: CCN
Type: BID-30348
Moodle 'etitle' Parameter HTML Injection Vulnerability

Source: XF
Type: UNKNOWN
moodle-edit-xss(43961)

Source: XF
Type: UNKNOWN
moodle-edit-xss(43961)

Source: EXPLOIT-DB
Type: UNKNOWN
6653

Source: SUSE
Type: SUSE-SR:2008:016
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:moodle:moodle:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:moodle:moodle:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.6:*:*:*:*:*:*:*

AND

cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20083326	V	CVE-2008-3326	2015-11-16
oval:org.mitre.oval:def:7939	P	DSA-1691 moodle -- several vulnerabilities	2014-06-23
oval:org.mitre.oval:def:20060	P	DSA-1691-1 moodle - several vulnerabilities	2014-06-23
oval:org.debian:def:1691	V	several vulnerabilities	2008-12-22

BACK