Test ID:	1.3.6.1.4.1.25623.1.0.800628
Category:	Web application abuses
Title:	Claroline 'notfound.php' SQLi Vulnerability
Summary:	Claroline is prone to an SQL injection (SQLi) vulnerability.
Description:	Summary: Claroline is prone to an SQL injection (SQLi) vulnerability. Vulnerability Insight: The following flaws exist: - an error in 'claroline/linker/notfound.php' which is not properly sanitising input data passed via the 'Referer' header, before being returned to the user. - an error in 'group/group.php' which is not properly sanitising input data passed to the 'sort' parameter, before being used in an SQL query. Vulnerability Impact: Successful exploitation will allow attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Affected Software/OS: Claroline versions 1.8.11 and prior. Solution: Update to version 1.8.12 or later. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2009-1907 BugTraq ID: 34883 http://www.securityfocus.com/bid/34883 Bugtraq: 20090508 Claroline v.1.8.11 Cross-Site Scripting (Google Search) http://www.securityfocus.com/archive/1/503365/100/0/threaded http://gsasec.blogspot.com/2009/05/claroline-v1811-cross-site-scripting.html http://www.securitytracker.com/id?1022198 http://secunia.com/advisories/35019 XForce ISS Database: claroline-notfound-xss(50404) https://exchange.xforce.ibmcloud.com/vulnerabilities/50404
Copyright	Copyright (C) 2009 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.