Bug 769897 (CVE-2011-4203)

Summary: CVE-2011-4203 Moodle CRLF injection vulnerability in calendar/set.php
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-03 16:42:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kurt Seifried 2011-12-22 16:29:18 UTC 
Reference: MISC:http://penturalabs.wordpress.com/2011/12/13/advisory-crlf-injection-vulnerability-in-moodle/
Reference: MISC:http://tracker.moodle.org/browse/MDL-24808

CRLF injection vulnerability in calendar/set.php in the Calendar
component in Moodle 1.9.x before 1.9.15, 2.0.x before 2.0.6, 2.1.x
before 2.1.3, and 2.2 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via vectors
involving the url variable.
Comment 1 Gwyn Ciesla 2011-12-22 16:59:12 UTC 
This is fixed in all Fedora and EPEL versions.