SB2019111443 - Multiple vulnerabilities in moodle Moodle
Published: November 14, 2019 Updated: July 17, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Incorrect default permissions (CVE-ID: CVE-2012-1157)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
2) Information disclosure (CVE-ID: CVE-2012-1158)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
3) Information disclosure (CVE-ID: CVE-2012-1159)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2: Overview report allows users to see hidden courses
4) Incorrect permission assignment for critical resource (CVE-ID: CVE-2012-1160)
The vulnerability allows a remote privileged user to manipulate data.
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php
5) Information disclosure (CVE-ID: CVE-2012-1161)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
6) Information disclosure (CVE-ID: CVE-2012-1169)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.
7) Improper validation of integrity check value (CVE-ID: CVE-2012-1170)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
8) Information disclosure (CVE-ID: CVE-2012-1155)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to
9) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2012-1156)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle before 2.2.2 has users' private files included in course backups
10) Input validation error (CVE-ID: CVE-2012-1168)
The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.
Remediation
Install update from vendor's website.
References
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
- http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
- https://access.redhat.com/security/cve/cve-2012-1157
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1157
- https://moodle.org/mod/forum/discuss.php?d=198624
- https://security-tracker.debian.org/tracker/CVE-2012-1157
- https://access.redhat.com/security/cve/cve-2012-1158
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1158
- https://moodle.org/mod/forum/discuss.php?d=198627
- https://security-tracker.debian.org/tracker/CVE-2012-1158
- https://access.redhat.com/security/cve/cve-2012-1159
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1159
- https://moodle.org/mod/forum/discuss.php?d=198628
- https://security-tracker.debian.org/tracker/CVE-2012-1159
- https://access.redhat.com/security/cve/cve-2012-1160
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1160
- https://moodle.org/mod/forum/discuss.php?d=198629
- https://security-tracker.debian.org/tracker/CVE-2012-1160
- https://access.redhat.com/security/cve/cve-2012-1161
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1161
- https://moodle.org/mod/forum/discuss.php?d=198630
- https://security-tracker.debian.org/tracker/CVE-2012-1161
- https://access.redhat.com/security/cve/cve-2012-1169
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1169
- https://moodle.org/mod/forum/discuss.php?d=198625
- https://security-tracker.debian.org/tracker/CVE-2012-1169
- https://access.redhat.com/security/cve/cve-2012-1170
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1170
- https://moodle.org/mod/forum/discuss.php?d=198632
- https://security-tracker.debian.org/tracker/CVE-2012-1170
- https://access.redhat.com/security/cve/cve-2012-1155
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1155
- https://moodle.org/mod/forum/discuss.php?d=198621
- https://security-tracker.debian.org/tracker/CVE-2012-1155
- https://access.redhat.com/security/cve/cve-2012-1156
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1156
- https://moodle.org/mod/forum/discuss.php?d=198623
- https://security-tracker.debian.org/tracker/CVE-2012-1156
- https://access.redhat.com/security/cve/cve-2012-1168
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1168
- https://moodle.org/mod/forum/discuss.php?d=198622
- https://security-tracker.debian.org/tracker/CVE-2012-1168