SB2016022207 - Multiple vulnerabilities in Moodle
Published: February 22, 2016 Updated: January 16, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5342)
The vulnerability allows a remote authenticated user to manipulate data.
The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.
2) Information disclosure (CVE-ID: CVE-2015-5341)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.
3) Information disclosure (CVE-ID: CVE-2015-5340)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.
4) Information disclosure (CVE-ID: CVE-2015-5339)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.
5) Cross-site request forgery (CVE-ID: CVE-2015-5338)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and (1) mod/lesson/mediafile.php or (2) mod/lesson/view.
6) Cross-site scripting (CVE-ID: CVE-2015-5337)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
7) Cross-site scripting (CVE-ID: CVE-2015-5336)
The vulnerability allows a remote authenticated user to read and manipulate data.
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.
8) Cross-site request forgery (CVE-ID: CVE-2015-5335)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
9) Resource management error (CVE-ID: CVE-2015-5332)
The vulnerability allows a remote non-authenticated attacker to a crash the entire system.
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
10) Security Features (CVE-ID: CVE-2015-5331)
The vulnerability allows a remote authenticated user to manipulate data.
Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.
Remediation
Install update from vendor's website.
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569
- https://moodle.org/mod/forum/discuss.php?d=323237
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837
- https://moodle.org/mod/forum/discuss.php?d=323236
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684
- https://moodle.org/mod/forum/discuss.php?d=323235
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861
- https://moodle.org/mod/forum/discuss.php?d=323234
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109
- https://moodle.org/mod/forum/discuss.php?d=323233
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085
- https://moodle.org/mod/forum/discuss.php?d=323232
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940
- https://moodle.org/mod/forum/discuss.php?d=323231
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091
- https://moodle.org/mod/forum/discuss.php?d=323230
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000
- https://moodle.org/mod/forum/discuss.php?d=323229
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426
- https://moodle.org/mod/forum/discuss.php?d=323228