Security Announcements

 
 
Picture of Petr Škoda
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter
 
Topic: Persistent Cross-site Scripting (XSS) on blog entry title parameter
Severity: Major
Versions affected: <1.6.7, <1.7.5
Reported by: Adrian Pastor and Amir Azam of ProCheckUp Ltd. (www.procheckup.com)
Issue no.: MDL-15392
Solution: upgrade to 1.6.7, 1.7.5 or any recent nightly or use patch http://cvs.moodle.org/moodle/blog/lib.php?r1=1.38.6.3&r2=1.38.6.2

Description:

ProCheckup discovered that 1.6.x and 1.7.x sites with enabled blogs are vulnerable to persistent Cross-site Scripting (XSS) attacks through blog entry titles. We would like to thank them for informing us in a responsible manner and coordinating the disclosure of security advisories.