Synopsis
The remote Fedora host is missing a security update.
Description
Latest upstreams, multiple security fixes.
Name: CVE-2013-6780 URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780 Assigned:
20131112 Reference:
https://yuilibrary.com/support/20131111-vulnerability/
Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter.
Name: CVE-2013-3630 URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630 [Open'>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3630'>Op en URL] Assigned: 20130521 Reference:
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seve n-foss-disclosures-part-one [Open'>https://community.rapid7.com/community/metasploit/blog/2013/10/ 30/seven-foss-disclosures-part-one'>Open URL] Reference:
https://community.rapid7.com/community/metasploit/blog/2013/10/30/seve n-tricks-and-treats [Open'>https://community.rapid7.com/community/metasploit/blog/2013/10/ 30/seven-tricks-and-treats'>Open URL]
Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Solution
Update the affected moodle package.
Plugin Details
File Name: fedora_2013-21312.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:fedoraproject:fedora:moodle, cpe:/o:fedoraproject:fedora:20
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 11/14/2013
Exploitable With
Metasploit (Moodle Remote Command Execution)