CVE-2009-4302

Sažetak

login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing.

Reference

http://docs.moodle.org/en/Moodle_1.8.11_release_notes
http://docs.moodle.org/en/Moodle_1.9.7_release_notes
http://moodle.org/mod/forum/discuss.php?d=139107
http://secunia.com/advisories/37614
http://www.securityfocus.com/bid/37244
http://www.vupen.com/english/advisories/2009/3455
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00704.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00730.html
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00751.html

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

01-12-2020 - 14:43

Objavljeno

16-12-2009 - 01:30