ID CVE-2009-4302
Summary login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 links to an index page on the HTTP port even when the page is served from an HTTPS port, which might cause login credentials to be sent in cleartext, even when SSL is intended, and allows remote attackers to obtain these credentials by sniffing.
References
Vulnerable Configurations
  • cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.9:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.8.10:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
    cpe:2.3:a:moodle:moodle:1.9.6:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 01-12-2020 - 14:43)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
bid 37244
confirm
fedora
  • FEDORA-2009-13040
  • FEDORA-2009-13065
  • FEDORA-2009-13080
secunia 37614
vupen ADV-2009-3455
Last major update 01-12-2020 - 14:43
Published 16-12-2009 - 01:30
Last modified 01-12-2020 - 14:43
Back to Top