SB2012071604 - Multiple vulnerabilities in Moodle
Published: July 16, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-4287)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
admin/uploaduser_form.php in Moodle 2.0.x before 2.0.3 does not force password changes for autosubscribed users, which makes it easier for remote attackers to obtain access by leveraging knowledge of the initial password of a new user.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-4288)
The vulnerability allows a remote #AU# to gain access to sensitive information.
Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-4289)
The vulnerability allows a remote #AU# to gain access to sensitive information.
Moodle 2.0.x before 2.0.3 does not recognize the configuration setting that makes e-mail addresses visible only to course members, which allows remote authenticated users to obtain sensitive address information by reading a full profile page.
4) Input validation error (CVE-ID: CVE-2011-4291)
The vulnerability allows a remote #AU# to perform service disruption.
Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted ratings operations.
5) SQL injection (CVE-ID: CVE-2011-4292)
The vulnerability allows a remote #AU# to perform service disruption.
Moodle 2.0.x before 2.0.3 allows remote authenticated users to cause a denial of service (invalid database records) via a series of crafted comments operations.
Remediation
Install update from vendor's website.
References
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=22a77963439e00441949440f0517135b3a5418da
- http://moodle.org/mod/forum/discuss.php?d=175588
- http://openwall.com/lists/oss-security/2011/11/14/1
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=79c6e3a0968ee1fedcf8a1f14f8086fcd9dbd3f6
- http://moodle.org/mod/forum/discuss.php?d=175590
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=181991e791a13a3c383234718c26c499e31d3df1
- http://moodle.org/mod/forum/discuss.php?d=175591
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=34b5e856b0c98aab3f5317119093628df0834957
- http://moodle.org/mod/forum/discuss.php?d=175593
- http://git.moodle.org/gw?p=moodle.git;a=commit;h=acb4688d29a7cc028803ee3d81edc7f1b6515c64
- http://moodle.org/mod/forum/discuss.php?d=175594