SB2017012016 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2016-8642)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

2) Improper access control (CVE-ID: CVE-2016-8643)

The vulnerability allows a remote authenticated user to manipulate data.

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-8644)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/94441
• https://moodle.org/mod/forum/discuss.php?d=343275
• http://www.securityfocus.com/bid/94457
• https://moodle.org/mod/forum/discuss.php?d=343276
• http://www.securityfocus.com/bid/94458
• https://moodle.org/mod/forum/discuss.php?d=343277