CVE-2012-6112 — PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outboun

Description

classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.

How to fix CVE-2012-6112

To remediate CVE-2012-6112, upgrade the affected package to a fixed version below.

Debian/wordpress—upgrade to 3.5.1+dfsg-2 or later
—upgrade to 2.1.10 or later

Is CVE-2012-6112 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.5.1+dfsg-2
>= 2.1.0, < 2.1.10

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6112
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6112
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
WEB