Topic: | Potential non-persistent XSS when searching for group members (MSSQL and Oracle only) |
Severity: | Major |
Versions affected: | 1.9.0, 1.9.1 |
Reported by: | internal |
Issue no.: | MDL-15079 |
Solution: | upgrade to 1.9.2 or any recent nightly or use patch http://cvs.moodle.org/moodle/group/members.php?r1=1.3.2.4&r2=1.3.2.5 |
Description:
We have discovered that systems running on MSSQL or Oracle databases are vulnerable to non-persistent cross-site scripting (XSS) attack. This vulnerability was caused by incorrect escaping when using database engines which require sybase style quoting (MSSQL and Orcale Only).