CVE-2013-4940 — Cross-site Scripting in Moodle

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 42.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Moodle Yahoo YUI

Timeline

PublishedJul 29

Latest updateMay 13

Description

Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶Packagistmoodle/moodle2.3.0 — 2.3.8+3

▶NVDmoodle/moodle36 versions+35

▶npmyahoo/yui3.0.0 — 3.10.11+1

▶NVDyahoo/yui22 versions+21

Patches

Patch: yuilibrary.com ↗Patch: yuilibrary.com ↗

🔴Vulnerability Details

OSV

YUI Cross-site Scripting (XSS) vulnerability↗2022-05-13

▶

GHSA

YUI Cross-site Scripting (XSS) vulnerability↗2022-05-13

▶

CVEList

CVE-2013-4940: Cross-site scripting (XSS) vulnerability in io↗2013-07-26

▶

💬Community

Bugzilla

CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 CVE-2013-2246 CVE-2013-4938 CVE-2013-4939 CVE-2013-4940 CVE-2013-4941 CVE-2013-4942 moodle: upstream 2.5.1, 2.4.5, 2.3.8, 2.2.11 security fixes↗2013-07-18

▶