SB2017012014 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2016-5012)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2016-5013)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

3) Information disclosure (CVE-ID: CVE-2016-5014)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/92041
• https://moodle.org/mod/forum/discuss.php?d=336697
• http://www.securityfocus.com/bid/92040
• https://moodle.org/mod/forum/discuss.php?d=336698
• http://www.securityfocus.com/bid/92042
• https://moodle.org/mod/forum/discuss.php?d=336699