#VU43861 Input validation error in Moodle - CVE-2011-4294
Published: July 16, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43861
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-4294
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Moodle
Moodle
Software vendor:
moodle.org
moodle.org
Description
The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.
The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via unspecified vectors.
Remediation
Install update from vendor's website.