SB2021092103 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Session Fixation (CVE-ID: CVE-2021-40691)

The vulnerability allows a remote attacker to hijack the target user's session.

The weakness exists due to a session hijack risk in the Shibboleth authentication plugin. A remote attacker can obtain sensitive information on the system.

2) Information disclosure (CVE-ID: CVE-2021-40695)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote authenticated attacker can view their quiz grade before it had been released, using a quiz web service.

3) Information disclosure (CVE-ID: CVE-2021-40694)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to insufficient escaping of the LaTeX preamble. A remote administrator can read files available to the HTTP server system account.

4) Improper Authentication (CVE-ID: CVE-2021-40693)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to a type juggling issue in the external database authentication functionality. A remote attacker can bypass authentication process and gain unauthorized access to the application.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-40692)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to insufficient capability checks. A remote authenticated attacker can download users outside of their courses.

Remediation

Install update from vendor's website.

References

• https://moodle.org/mod/forum/discuss.php?d=427103
• https://moodle.org/mod/forum/discuss.php?d=427107
• https://moodle.org/mod/forum/discuss.php?d=427106
• https://moodle.org/mod/forum/discuss.php?d=427105
• https://moodle.org/mod/forum/discuss.php?d=427104