Claroline » Claroline : Security Vulnerabilities

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : CVE Number Descending CVE Number Ascending CVSS Score Descending Number Of Exploits Descending

#	CVE ID	CWE ID	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2013-6267	79	XSS	2013-12-05	2017-08-29	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.11.9 allow remote attackers to inject arbitrary web script or HTML via the (1) box parameter to messaging/messagebox.php, cidToEdit parameter to (2) adminregisteruser.php or (3) admin_user_course_settings.php in admin/, (4) module_id parameter to admin/module/module.php, or (5) offset parameter to admin/right/profile_list.php.
2	CVE-2013-4753	79	XSS	2014-12-26	2014-12-29	3.5	None	Remote	Medium	???	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.11.9 and earlier allow remote authenticated users to inject arbitrary web script or HTML via (1) the Search field in an inbox action to messaging/messagebox.php, (2) the "First name" field to auth/profile.php, or (3) the Speakers field in an rqAdd action to calendar/agenda.php.
3	CVE-2011-3716	200	+Info	2011-09-23	2012-03-13	5.0	None	Remote	Low	Not required	Partial	None	None
Claroline 1.9.7 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by work/connector/linker.cnr.php and certain other files.
4	CVE-2009-1907	79	XSS	2009-06-04	2018-10-10	4.3	None	Remote	Medium	Not required	None	Partial	None
Cross-site scripting (XSS) vulnerability in claroline/linker/notfound.php in Claroline 1.8.11 allows remote attackers to inject arbitrary web script or HTML via the Referer HTTP header.
5	CVE-2008-3315	79	XSS	2008-07-25	2018-10-11	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374.
6	CVE-2008-3262	352	CSRF	2008-07-22	2018-10-11	5.8	None	Remote	Medium	Not required	Partial	Partial	None
Cross-site request forgery (CSRF) vulnerability in Claroline before 1.8.10 allows remote attackers to change passwords, related to lack of a requirement for the previous password.
7	CVE-2008-3261	59		2008-07-22	2018-10-11	4.3	None	Remote	Medium	Not required	None	Partial	None
Open redirect vulnerability in claroline/redirector.php in Claroline before 1.8.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
8	CVE-2008-3260	79	XSS	2008-07-22	2018-10-11	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.10 allow remote attackers to inject arbitrary web script or HTML via (1) the cwd parameter in a rqMkHtml action to document/rqmkhtml.php, or the query string to (2) announcements/announcements.php, (3) calendar/agenda.php, (4) course/index.php, (5) course_description/index.php, (6) document/document.php, (7) exercise/exercise.php, (8) group/group_space.php, (9) phpbb/newtopic.php, (10) phpbb/reply.php, (11) phpbb/viewtopic.php, (12) wiki/wiki.php, or (13) work/work.php in claroline/.
9	CVE-2007-4742	20	XSS +Info	2007-09-06	2012-10-30	4.3	None	Remote	Medium	Not required	Partial	None	None
Claroline before 1.8.6 allows remote authenticated administrators to obtain sensitive information via an invalid value in the sort parameter to admin/adminusers.php, which reveals the path in an error message in some circumstances, as demonstrated by a parameter value containing an XSS sequence.
10	CVE-2007-4741	79	XSS	2007-09-06	2008-09-05	3.5	None	Remote	Medium	???	None	Partial	None
Cross-site scripting (XSS) vulnerability in admin/adminusers.php in Claroline before 1.8.6 allows remote authenticated administrators to inject arbitrary web script or HTML via the sort parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
11	CVE-2007-4718	22	Dir. Trav.	2007-09-05	2011-03-08	5.1	None	Remote	High	Not required	Partial	Partial	Partial
Directory traversal vulnerability in inc/lib/language.lib.php in Claroline before 1.8.6 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter.
12	CVE-2007-4717	79	XSS	2007-09-05	2011-03-08	3.5	None	Remote	Medium	???	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline before 1.8.6 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) dir parameter in admin/adminusers.php, the (2) action parameter in admin/advancedUserSearch.php, and the (3) view parameter in admin/campusProblem.php.
13	CVE-2007-3517		XSS	2007-07-03	2011-03-08	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.3 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO (PHP_SELF) to (1) index.php, (2) demo/claroline170/index.php, and possibly other scripts.
14	CVE-2006-7048		Exec Code File Inclusion	2007-02-24	2008-09-05	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) clarolineRepositorySys parameter to (a) atutor.inc.php (b) db-generic.inc.php (c) docebo.inc.php (d) dokeos.1.6.inc.php (e) dokeos.inc.php (f) ganesha.inc.php (g) mambo.inc.php (h) moodle.inc.php (i) phpnuke.inc.php (j) postnuke.inc.php and (k) spip.inc.php in claroline/auth/extauth/drivers/; (2) includePath parameter in mambo.inc.php, postnuke.inc.php, and (l) inc/lib/event/init_event_manager.inc.php; and (3) rootSys parameter in (m) inc/lib/export_exe_tracking.class.php, a different set of vectors than CVE-2006-2284.
15	CVE-2006-5256		Exec Code File Inclusion	2006-10-12	2018-10-17	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
PHP remote file inclusion vulnerability in claroline/inc/lib/import.lib.php in Claroline 1.8.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the includePath parameter.
16	CVE-2006-4844	94	Exec Code File Inclusion	2006-09-19	2017-07-20	5.1	None	Remote	High	Not required	Partial	Partial	Partial
PHP remote file inclusion vulnerability in inc/claro_init_local.inc.php in Claroline 1.7.7 and earlier, as used in Dokeos and possibly other products, allows remote attackers to execute arbitrary PHP code via a URL in the extAuthSource[newUser] parameter.
17	CVE-2006-3257		XSS	2006-06-28	2018-10-18	4.3	None	Remote	Medium	Not required	None	Partial	None
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.7.7 allow remote attackers to inject arbitrary HTML or web script via unspecified attack vectors, possibly including (1) calendar/myagenda.php, (2) document/document.php, (3) phpbb/newtopic.php, (4) tracking/userLog.php, and (5) wiki/page.php.
18	CVE-2006-2868		Exec Code File Inclusion	2006-06-06	2017-10-19	5.1	None	Remote	High	Not required	Partial	Partial	Partial
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.6 allow remote attackers to execute arbitrary PHP code via a URL in the includePath cookie to (1) auth/extauth/drivers/mambo.inc.php or (2) auth/extauth/drivers/postnuke.inc.php.
19	CVE-2006-2284		Exec Code File Inclusion	2006-05-10	2018-10-18	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) clarolineRepositorySys parameter in ldap.inc.php and the (2) claro_CasLibPath parameter in casProcess.inc.php.
20	CVE-2006-1596		Exec Code File Inclusion	2006-04-03	2017-10-19	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
PHP remote file inclusion vulnerability in learnPath/include/scormExport.inc.php in Claroline 1.7.4 and earlier allows remote attackers to execute arbitrary PHP code via the includePath parameter.
21	CVE-2006-1595		XSS	2006-04-03	2017-10-19	4.3	None	Remote	Medium	Not required	Partial	None	None
Cross-site scripting (XSS) vulnerability in document/rqmkhtml.php in Claroline 1.7.4 and earlier allows remote attackers to read arbitrary files via ".." sequences in the file parameter in a rqEditHtml command.
22	CVE-2006-1594		Exec Code Dir. Trav.	2006-04-03	2017-10-11	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple directory traversal vulnerabilities in document/rqmkhtml.php in Claroline 1.7.4 and earlier allow remote attackers to use ".." (dot dot) sequences to (1) read arbitrary files via the file parameter in a rqEditHtml command to document/rqmkhtml.php or (2) execute arbitrary code via the includePath parameter to learnPath/include/scormExport.inc.php.
23	CVE-2006-0411		+Priv	2006-01-25	2017-07-20	10.0	None	Remote	Low	Not required	Complete	Complete	Complete
claro_init_local.inc.php in Claroline 1.7.2 uses guessable session cookies (MD5 hash of connection time), which allows remote attackers to hijack sessions and possibly gain administrative privileges.
24	CVE-2005-1377		Exec Code File Inclusion	2005-05-03	2017-07-11	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary PHP code via unknown vectors.
25	CVE-2005-1376		Dir. Trav.	2005-05-03	2017-07-11	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple directory traversal vulnerabilities in (1) document.php or (2) insertMyDoc.php in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote project administrators to upload arbitrary files.
26	CVE-2005-1375		Exec Code Sql	2005-05-03	2017-07-11	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
Multiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary SQL commands via (1) learningPath.php, (2) learningPathAdmin.php, (3) learnPath_details.php, (4) modules_pool.php, (5) module.php, (6) uInfo parameter in userInfo.php, or (7) exo_id parameter to exercises_details.php.
27	CVE-2005-1374		XSS	2005-05-03	2017-07-11	6.8	None	Remote	Medium	Not required	Partial	Partial	Partial
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to inject arbitrary web script or HTML via (1) exercise_result.php, (2) exercice_submit.php, (3) agenda.php, (4) learningPathList.php, (5) learningPathAdmin.php, (6) learningPath.php, (7) userLog.php, (8) tool parameter to toolaccess_details.php, (9) data parameter to user_access_details.php, or (10) coursePath parameter to myagenda.php.

Total number of vulnerabilities : 27 Page : 1 (This Page)