Vulnerability Details : CVE-2012-6112
classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string.
Products affected by CVE-2012-6112
- cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle:moodle:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:b2:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:b1:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:a2:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:a1:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:tinymce:spellchecker_php:2.0:b3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-6112
0.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-6112
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2012-6112
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-6112
-
https://github.com/tinymce/tinymce_spellchecker_php/commit/22910187bfb9edae90c26e10100d8145b505b974
Fixed security issue with google spellchecker · tinymce/tinymce_spellchecker_php@2291018 · GitHub
-
http://www.tinymce.com/develop/changelog/?type=phpspell
TinyMCE | Changelog
-
http://www.tinymce.com/forum/viewtopic.php?id=30036
Vendor Advisory
-
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283
Official Moodle git projects - moodle.git/search
-
http://openwall.com/lists/oss-security/2013/01/21/1
oss-security - Moodle security notifications public
-
https://moodle.org/mod/forum/discuss.php?d=220157
Moodle.org: MSA-13-0001: Security issue in Google Spellchecker in TinyMCE
Jump to