#VU43892 Input validation error in Moodle - CVE-2011-4305

Cybersecurity Help s.r.o.

Published: 2012-07-11 | Updated: 2020-08-11

Vulnerability identifier: #VU43892

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-4305

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moodle
Web applications / Other software

Vendor: moodle.org

Description

The vulnerability allows a remote #AU# to perform service disruption.

message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authenticated users to cause a denial of service (infinite request loop) via a URL that specifies a zero wait time for message refreshing.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moodle: 1.9 - 1.9.13

External links
https://git.moodle.org/gw?p=moodle.git;a=commit;h=97f258fabb3ebfa7acc7c02cb59de92b01710f99
https://moodle.org/mod/forum/discuss.php?d=188318
https://bugzilla.redhat.com/show_bug.cgi?id=747444

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Moodle