SB2012112101 - Multiple vulnerabilities in Moodle
Published: November 21, 2012 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2012-5473)
The vulnerability allows a remote #AU# to gain access to sensitive information.
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5479)
The vulnerability allows a remote #AU# to read and manipulate data.
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5480)
The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5481)
The vulnerability allows a remote #AU# to gain access to sensitive information.
Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5471)
The vulnerability allows a remote #AU# to read and manipulate data.
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-5472)
The vulnerability allows a remote #AU# to manipulate data.
lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field.
Remediation
Install update from vendor's website.
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
- http://openwall.com/lists/oss-security/2012/11/19/1
- http://www.securityfocus.com/bid/56505
- https://moodle.org/mod/forum/discuss.php?d=216157
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33791
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
- https://moodle.org/mod/forum/discuss.php?d=216159
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
- https://moodle.org/mod/forum/discuss.php?d=216160
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
- https://moodle.org/mod/forum/discuss.php?d=216161
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
- https://moodle.org/mod/forum/discuss.php?d=216155
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
- https://moodle.org/mod/forum/discuss.php?d=216156