CVE-2024-28593

The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Chat page says "If you know some HTML code, you can use it in your text to do things like insert images, play sounds or create different coloured and sized text." This page also says "Chat is due to be removed from standard Moodle."
Configurations

No configuration.

History

21 Nov 2024, 09:06

Type Values Removed Values Added
References () https://docs.moodle.org/403/en/Using_Chat - () https://docs.moodle.org/403/en/Using_Chat -
References () https://gist.githubusercontent.com/minendie/4f23174687bc4d8eb7f727d9959b5399/raw/9ce573cebcce5521d9d6f826ab68f3780036b874/CVE-2024-28593.txt - () https://gist.githubusercontent.com/minendie/4f23174687bc4d8eb7f727d9959b5399/raw/9ce573cebcce5521d9d6f826ab68f3780036b874/CVE-2024-28593.txt -
References () https://medium.com/%40lamscun/how-do-i-change-htmli-from-low-to-critical-your-email-box-is-safe-e7171efd88fe - () https://medium.com/%40lamscun/how-do-i-change-htmli-from-low-to-critical-your-email-box-is-safe-e7171efd88fe -

05 Nov 2024, 15:35

Type Values Removed Values Added
CWE CWE-94
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4

11 Apr 2024, 01:25

Type Values Removed Values Added
Summary
  • (es) La actividad Chat en Moodle 4.3.3 permite a los estudiantes insertar un elemento HTML A o un elemento IMG potencialmente no deseado, o contenido HTML que conduce a una degradación del rendimiento. NOTA: la página Usando_Chat del proveedor dice "Si conoce algún código HTML, puede usarlo en su texto para hacer cosas como insertar imágenes, reproducir sonidos o crear texto de diferentes colores y tamaños". Esta página también dice "El chat debe eliminarse de Moodle estándar".

22 Mar 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-03-22 15:15

Updated : 2024-11-21 09:06


NVD link : CVE-2024-28593

Mitre link : CVE-2024-28593

CVE.ORG link : CVE-2024-28593


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')