CVE-2011-4301
First published: Wed Jul 11 2012(Updated: )
The `MoodleQuickForm` class in the Forms Library in `lib/formslib.php` in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API `setConstant` operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.1<2.1.2 | 2.1.2 |
| composer/moodle/moodle | >=2.0<2.0.5 | 2.0.5 |
| composer/moodle/moodle | <1.9.14 | 1.9.14 |
| Moodle | =1.9.2 | |
| Moodle | =1.9.3 | |
| Moodle | =1.9.4 | |
| Moodle | =1.9.5 | |
| Moodle | =1.9.6 | |
| Moodle | =1.9.7 | |
| Moodle | =1.9.8 | |
| Moodle | =1.9.9 | |
| Moodle | =1.9.10 | |
| Moodle | =1.9.11 | |
| Moodle | =1.9.12 | |
| Moodle | =1.9.13 | |
| Moodle | =2.0.0 | |
| Moodle | =2.0.1 | |
| Moodle | =2.0.2 | |
| Moodle | =2.0.3 | |
| Moodle | =2.0.4 | |
| Moodle | =2.1.0 | |
| Moodle | =2.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2011-4301
- https://bugzilla.redhat.com/show_bug.cgi?id=747444
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
- http://moodle.org/mod/forum/discuss.php?d=188313
- http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
- https://github.com/moodle/moodle/commit/1f52e72526c305989eadc702b5299edb2a50ac3c
- https://github.com/moodle/moodle/commit/2a44c5192c875c4f4b4e813d7227b19d8fda86ba
- https://github.com/moodle/moodle/commit/a6f18c98f43b6fc6b8b7c4e96af41cb4a626e1b8
- https://github.com/moodle/moodle/commit/f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8
- https://github.com/advisories/GHSA-jcrj-gmr6-p5j8 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-4301?
CVE-2011-4301 is classified as having a medium severity, allowing attackers to exploit unexpected form submissions.
How do I fix CVE-2011-4301?
To fix CVE-2011-4301, upgrade to Moodle 1.9.14, 2.0.5, or 2.1.2 or later.
What versions of Moodle are affected by CVE-2011-4301?
Moodle versions affected by CVE-2011-4301 include 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2.
What is the nature of the vulnerability in CVE-2011-4301?
The vulnerability in CVE-2011-4301 arises from the `MoodleQuickForm` class not properly handling Forms API `setConstant` operations.
Can CVE-2011-4301 lead to remote exploitation?
Yes, CVE-2011-4301 can potentially allow remote attackers to submit unexpected content through forms.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jcrj-gmr6-p5j8
- alias/CVE-2011-4301
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-historical
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/1.9.2
- version/moodle/1.9.3
- version/moodle/1.9.4
- version/moodle/1.9.5
- version/moodle/1.9.6
- version/moodle/1.9.7
- version/moodle/1.9.8
- version/moodle/1.9.9
- version/moodle/1.9.10
- version/moodle/1.9.11
- version/moodle/1.9.12
- version/moodle/1.9.13
- version/moodle/2.0.0
- version/moodle/2.0.1
- version/moodle/2.0.2
- version/moodle/2.0.3
- version/moodle/2.0.4
- version/moodle/2.1.0
- version/moodle/2.1.1