SB2014112403 - Multiple vulnerabilities in Moodle

Security Bulletin ID SB2014112403

Severity

Medium

Patch available

YES

Number of vulnerabilities 15

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 15 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2014-9060)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

2) Cross-site scripting (CVE-ID: CVE-2014-9059)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via UTF-7 characters during interaction with AJAX scripts. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Information disclosure (CVE-ID: CVE-2014-7848)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

lib/phpunit/bootstrap.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message.

4) Resource management error (CVE-ID: CVE-2014-7847)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

iplookup/index.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote attackers to cause a denial of service (resource consumption) by triggering the calculation of an estimated latitude and longitude for an IP address.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-7846)

The vulnerability allows a remote #AU# to gain access to sensitive information.

tag/tag_autocomplete.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not consider the moodle/tag:edit capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request.

6) Credentials management (CVE-ID: CVE-2014-7845)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack.

7) Cross-site request forgery (CVE-ID: CVE-2014-7838)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.

8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-7837)

The vulnerability allows a remote #AU# to manipulate or delete data.

mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki.

9) Cross-site request forgery (CVE-ID: CVE-2014-7836)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.

10) Cross-site scripting (CVE-ID: CVE-2014-7835)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote authenticated users to upload files containing JavaScript, and consequently conduct cross-site scripting (XSS) attacks, by specifying the profile-picture area.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-7834)

The vulnerability allows a remote #AU# to gain access to sensitive information.

mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

12) Information disclosure (CVE-ID: CVE-2014-7833)

The vulnerability allows a remote #AU# to gain access to sensitive information.

mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-7832)

The vulnerability allows a remote #AU# to gain access to sensitive information.

mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.

14) Information disclosure (CVE-ID: CVE-2014-7831)

The vulnerability allows a remote #AU# to gain access to sensitive information.

lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

15) Cross-site scripting (CVE-ID: CVE-2014-7830)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

SB2014112403 - Multiple vulnerabilities in Moodle

Breakdown by Severity

Description

Remediation

References