CVE-2019-14827

MEDIUM Year: 2019
CVSS v3 Score
6.1
Medium
CVSS v2 Score
4.3
Medium
Weakness Type
CWE-94
View all →

Vulnerability Description

A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.

Related Vulnerabilities

CVE-2014-10065

MEDIUM
CVSS:6.1(Medium)

Certain input when passed into remarkable before 1.4.1 will bypass the bad protocol check that disallows the javascript: scheme allowing for javascript: url's to be injected into the rendered content.

CWE-942014

CVE-2016-10548

MEDIUM
CVSS:6.1(Medium)

Arbitrary code execution is possible in reduce-css-calc node module <=1.2.4 through crafted css. This makes cross sites scripting (XSS) possible on the client and arbitrary code injection possible on ...

CWE-942016

CVE-2017-1002152

MEDIUM
CVSS:6.1(Medium)

Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting in code injection caused by incorrect validation of bug titles.

CWE-942017

CVE-2017-1248

MEDIUM
CVSS:6.1(Medium)

IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web bro...

CWE-942017

CVE-2017-14077

MEDIUM
CVSS:6.1(Medium)

HTML Injection in Securimage 3.6.4 and earlier allows remote attackers to inject arbitrary HTML into an e-mail message body via the $_SERVER['HTTP_USER_AGENT'] parameter to example_form.ajax.php or ex...

CWE-942017

CVE-2017-17649

MEDIUM
CVSS:6.1(Medium)

Readymade Video Sharing Script 3.2 has HTML Injection via the single-video-detail.php comment parameter.

CWE-942017