#VU41335 Permissions, Privileges, and Access Controls in Moodle - CVE-2014-3617

Cybersecurity Help s.r.o.

Published: 2014-09-15 | Updated: 2020-08-10

Vulnerability identifier: #VU41335

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-3617

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moodle
Web applications / Other software

Vendor: moodle.org

Description

The vulnerability allows a remote #AU# to gain access to sensitive information.

The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author's username, by leveraging the student role and visiting a Q&A forum.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moodle: 2.0 - 2.0.9, 2.1 - 2.1.10, 2.2 - 2.2.11, 2.3 - 2.3.11, 2.4 - 2.4.10, 2.5 - 2.5.7, 2.6 - 2.6.4, 2.7 - 2.7.1

External links
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619
https://openwall.com/lists/oss-security/2014/09/15/1
https://moodle.org/mod/forum/discuss.php?d=269591

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in Moodle