SB2016032104 - Fedora 22 update for moodle 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016032104

SB2016032104 - Fedora 22 update for moodle

Published: March 21, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016032104
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 10% Medium 10% Low 80%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2016-2151)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.


2) Cross-site scripting (CVE-ID: CVE-2016-2152)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 when processing an external DB profile field. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


3) Cross-site scripting (CVE-ID: CVE-2016-2153)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


4) Information disclosure (CVE-ID: CVE-2016-2154)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule.


5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-2155)

The vulnerability allows a remote authenticated user to manipulate data.

The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.


6) Information disclosure (CVE-ID: CVE-2016-2156)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.


7) Cross-site request forgery (CVE-ID: CVE-2016-2157)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


8) Information disclosure (CVE-ID: CVE-2016-2158)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.


9) Improper access control (CVE-ID: CVE-2016-2159)

The vulnerability allows a remote authenticated user to manipulate data.

The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.


10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-2190)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.


Remediation

Install update from vendor's website.

References