Multiple vulnerabilities in Moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2016-8642 CVE-2016-8643 CVE-2016-8644 |
| CWE-ID | CWE-284 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU39809
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-8642
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.1.2:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/94441
https://moodle.org/mod/forum/discuss.php?d=343275
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU39810
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-8643
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.1.2:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/94457
https://moodle.org/mod/forum/discuss.php?d=343276
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU39811
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-8644
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.8.12:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:3.1.2:*:*:*:*:*:*:*
https://www.securityfocus.com/bid/94458
https://moodle.org/mod/forum/discuss.php?d=343277
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
