Multiple vulnerabilities in Moodle
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2016-2190 CVE-2016-2159 CVE-2016-2158 CVE-2016-2157 CVE-2016-2156 CVE-2016-2155 CVE-2016-2154 CVE-2016-2153 CVE-2016-2152 CVE-2016-2151 |
| CWE-ID | CWE-264 CWE-284 CWE-200 CWE-352 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU40268
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-2190
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330181
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU40269
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2159
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330182
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU40270
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2158
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330180
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site request forgery
EUVDB-ID: #VU40271
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2016-2157
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330179
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU40272
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2156
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330178
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU40273
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2155
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330177
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU40274
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2154
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330176
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cross-site scripting
EUVDB-ID: #VU40275
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2153
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330175
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Cross-site scripting
EUVDB-ID: #VU40276
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2152
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 when processing an external DB profile field. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330174
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Information disclosure
EUVDB-ID: #VU40277
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2151
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.7 - 3.0.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.8.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433
https://www.openwall.com/lists/oss-security/2016/03/21/1
https://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330173
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
