SB2015060104 - Multiple vulnerabilities in Moodle

Security Bulletin ID SB2015060104

Severity

Medium

Patch available

YES

Number of vulnerabilities 7

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 7 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2015-0218)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Resource management error (CVE-ID: CVE-2015-0217)

The vulnerability allows a remote #AU# to perform a denial of service (DoS) attack.

filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression.

3) Information disclosure (CVE-ID: CVE-2015-0215)

The vulnerability allows a remote #AU# to gain access to sensitive information.

calendar/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to obtain sensitive calendar-event information via a web-services request.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-0214)

The vulnerability allows a remote #AU# to manipulate data.

message/externallib.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to bypass a messaging-disabled setting via a web-services request, as demonstrated by a people-search request.

5) Cross-site request forgery (CVE-ID: CVE-2015-0213)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

6) Cross-site scripting (CVE-ID: CVE-2015-0212)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in course/pending.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

7) Information disclosure (CVE-ID: CVE-2015-0211)

The vulnerability allows a remote #AU# to gain access to sensitive information.

mod/lti/ajax.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 does not consider the moodle/course:manageactivities and mod/lti:addinstance capabilities before proceeding with registered-tool list searches, which allows remote authenticated users to obtain sensitive information via requests to the LTI Ajax service.

Remediation

Install update from vendor's website.

SB2015060104 - Multiple vulnerabilities in Moodle

Breakdown by Severity

Description

Remediation

References