CVE-2011-4294 — moodle - several

Description

The error-message functionality in Moodle 1.9.x before 1.9.13, 2.0.x before 2.0.4, and 2.1.x before 2.1.1 does not ensure that a continuation link refers to an http or https URL for the local Moodle instance, which might allow attackers to trick users into visiting arbitrary web sites via error message links that lead offsite.

How to fix CVE-2011-4294

To remediate CVE-2011-4294, upgrade the affected package to a fixed version below.

Debian/moodle—upgrade to 1.9.9.dfsg2-2.1+squeeze2 or later
Packagist/moodle/moodle—upgrade to 1.9.13 or later

Is CVE-2011-4294 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.9.9.dfsg2-2.1+squeeze2
from 0, < 1.9.13

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4294
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git;a=commit;h=8f9f666c902cb30ef6f519353f38c45a29fdf4a6
WEBmoodle.org/mod/forum/discuss.php?d=182737
WEB