CVE-2014-9059 - Vulnerability Details - OpenCVE

lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:2.5.0:::::::*
	cpe:2.3:a:moodle:moodle:2.5.1:::::::*
	cpe:2.3:a:moodle:moodle:2.5.2:::::::*
	cpe:2.3:a:moodle:moodle:2.5.3:::::::*
	cpe:2.3:a:moodle:moodle:2.5.4:::::::*
	cpe:2.3:a:moodle:moodle:2.5.5:::::::*
	cpe:2.3:a:moodle:moodle:2.5.6:::::::*
	cpe:2.3:a:moodle:moodle:2.5.7:::::::*
	cpe:2.3:a:moodle:moodle:2.5.8:::::::*
	cpe:2.3:a:moodle:moodle:2.6.0:::::::*
	cpe:2.3:a:moodle:moodle:2.6.1:::::::*
	cpe:2.3:a:moodle:moodle:2.6.2:::::::*
	cpe:2.3:a:moodle:moodle:2.6.3:::::::*
	cpe:2.3:a:moodle:moodle:2.6.4:::::::*
	cpe:2.3:a:moodle:moodle:2.6.5:::::::*
	cpe:2.3:a:moodle:moodle:2.7.0:::::::*
	cpe:2.3:a:moodle:moodle:2.7.1:::::::*
	cpe:2.3:a:moodle:moodle:2.7.2:::::::*

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966
http://openwall.com/lists/oss-security/2014/11/17/11
http://www.securityfocus.com/bid/71133
http://www.securitytracker.com/id/1031215
https://moodle.org/mod/forum/discuss.php?d=275146

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2014-11-24T11:00:00

Updated: 2024-08-06T13:33:13.509Z

Reserved: 2014-11-24T00:00:00

Link: CVE-2014-9059

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-11-24T11:59:14.183

Modified: 2025-04-12T10:46:40.837

Link: CVE-2014-9059

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-11-17T00:00:00", "descriptions": [{"lang": "en", "value": "lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-04-29T18:57:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "1031215", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://moodle.org/mod/forum/discuss.php?d=275146"}, {"name": "71133", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/71133"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9059", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "1031215", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"name": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966", "refsource": "CONFIRM", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=275146", "refsource": "CONFIRM", "url": "https://moodle.org/mod/forum/discuss.php?d=275146"}, {"name": "71133", "refsource": "BID", "url": "http://www.securityfocus.com/bid/71133"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:33:13.509Z"}, "title": "CVE Program Container", "references": [{"name": "1031215", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1031215"}, {"name": "[oss-security] 20141117 Moodle security issues are now public", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=275146"}, {"name": "71133", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/71133"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9059", "datePublished": "2014-11-24T11:00:00", "dateReserved": "2014-11-24T00:00:00", "dateUpdated": "2024-08-06T13:33:13.509Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "54F15A46-7242-4EAE-986E-9A7DBE7724ED", "versionEndIncluding": "2.4.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "CD1B5B42-ECA9-4888-B18E-AD8D282311DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "9EF03304-032C-4E85-A802-7CDAC89216FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "311BEFF3-A58A-4CA8-BE09-F8D081EA13A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "D7D2A1F8-82FF-4C1A-A872-71D93874EEAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "86E79BB0-6017-441C-9B10-00E55FDF0986", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "CA845882-C0F4-4522-94B2-9AA21A08887A", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*", "matchCriteriaId": "48F341A8-0AC8-4033-8C99-0249B7289F9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*", "matchCriteriaId": "4CE1A520-762B-4A35-8075-ED4ECA0A1CB3", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*", "matchCriteriaId": "9803CBE2-80A6-47EB-A782-CC8F1E66FBD9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "05112EC5-3AAA-499B-8763-345187529C09", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "71407960-077B-4407-B249-789436687D91", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "72728F94-D408-4CAD-A214-800B1D1C7971", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "33C1E9B5-6B2B-4230-92F2-EC0FB307ECF4", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "6925A366-37EB-41ED-85C8-B56D6A93D4EB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "A6400F9D-9654-444F-9EBB-0F73025AD744", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "4E051AAC-EB40-491F-AF0E-EE8143C12567", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "FADBE87F-1855-453B-B958-0CB8A7908A06", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "1B53A7D2-BDA2-4185-97C3-977A04876A37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "lib/setup.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide charset information in HTTP headers, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 characters during interaction with AJAX scripts."}, {"lang": "es", "value": "lib/setup.php en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona informaci\u00f3n charset en cabeceras HTTP, lo que podr\u00eda permitir a atacantes remotos realizar ataques de XSS a trav\u00e9s de caracteres UTF-7 durante la interacci\u00f3n con secuencias de comandos AJAX."}], "id": "CVE-2014-9059", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-11-24T11:59:14.183", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966"}, {"source": "cve@mitre.org", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/71133"}, {"source": "cve@mitre.org", "url": "http://www.securitytracker.com/id/1031215"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=275146"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2014/11/17/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/71133"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1031215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=275146"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}