Miggo Logo
Miggo Vulnerability Database
CVE-2013-7341

CVE-2013-7341: Moodle cross-site scripting (XSS) vulnerabilities

4.3

CVSS Score

Basic Information

CVE ID
CVE-2013-7341
GHSA ID
GHSA-j6c3-3c4w-qv8p
EPSS Score
0.49119%
CWE
CWE-79
Published
5/13/2022
Updated
2/7/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer< 2.4.92.4.9
moodle/moodlecomposer>= 2.5.0, < 2.5.52.5.5
moodle/moodlecomposer>= 2.6.0, < 2.6.22.6.2
typo3/cmscomposer>= 6.2.0, < 6.2.146.2.14
typo3/cmscomposer>= 7.0.0, < 7.3.17.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly cites two attack vectors: (1) crafted playerId and (2) external domain references. The commit diff shows Flowplayer was upgraded to 3.2.17 which added same-domain checks for plugins/configs (visible in README.txt changes). The JavaScript files (flowplayer-3.2.13.js) contain code modifications enforcing domain validation. The removal of flowplayer-3.2.12.min.js and addition of patched versions indicates the vulnerable code resided in Flowplayer's resource loading logic, specifically in functions handling plugin initialization and external domain references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* *ross-sit* s*riptin* (XSS) vuln*r**iliti*s in *lowpl*y*r *l*s* ***or* *.*.**, *s us** in Moo*l* t*rou** *.*.**, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.*, *llow r*mot* *tt**k*rs to inj**t *r*itr*ry w** s*ript or *TML *y

Reasoning

T** vuln*r**ility **s*ription *xpli*itly *it*s two *tt**k v**tors: (*) *r**t** pl*y*rI* *n* (*) *xt*rn*l *om*in r***r*n**s. T** *ommit *i** s*ows *lowpl*y*r w*s up*r**** to `*.*.**` w*i** ***** s*m*-*om*in ****ks *or `plu*ins/*on*i*s` (visi*l* in `R*