GHSA-fx5h-3786-h2w6

Source

https://github.com/advisories/GHSA-fx5h-3786-h2w6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fx5h-3786-h2w6/GHSA-fx5h-3786-h2w6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fx5h-3786-h2w6

Aliases

CVE-2012-6112

Published

2022-05-13T01:12:57Z

Modified

2024-12-08T05:25:05.286654Z

Summary

PHP Spellchecker addon for TinyMCE allows attackers to trigger arbitrary outbound HTTP requests

Details

classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.

Database specific

{
    "nvd_published_at": "2013-01-27T22:55:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-25T20:27:58Z"
}

References

Affected packages

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.10

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.7

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.4

Packagist / moodle/moodle

Package

Name: moodle/moodle
Purl: pkg:composer/moodle/moodle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.4.1

Affected versions

2.*

2.4.0

v2.*

v2.4.0