Moodle < 2.7.13 / 2.8.x < 2.8.11 / 2.9.x < 2.9.5 / 3.0.x < 3.0.3 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9194

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

Moodle, an open-source course management system, installed on the remote host is version 2.7.x prior to 2.7.13, 2.8.x prior to 2.8.11, or 2.9.x prior to 2.9.5, or 3.0.x prior to 3.0.3, and is affected by multiple vulnerabilities :

- A flaw exists in 'user/index.php' related to an improper capability check when displaying emails for students in a participants list. This may allow an authenticated, remote attacker to gain knowledge of participants' email addresses. (CVE-2016-2151)
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the external database does not validate input to the profile fields before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2016-2152)
- A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to the 'mod_data' advanced search before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2016-2153)
- A flaw exists as HTTP requests to 'mod/assign/adminmanageplugins.php' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to make changes to plugins. (CVE-2016-2157)
- A flaw exists in the 'lib/ajax/getnavbranch.php' script that may allow an unauthenticated remote attacker to enumerate category details. (CVE-2016-2158)
- A flaw exists in the 'get_calendar_events()' function in the 'calendar/externallib.php' script that may allow an authenticated, remote attacker to disclose events that pertain to hidden activities. (CVE-2016-2156)
- A flaw exists in the 'mod_assign_save_submission()' function in the 'mod/assign/externallib.php' script that is triggered as due dates are not properly checked. This may allow a remote attacker to add assignment submissions after the specified due date. (CVE-2016-2159)
- A flaw exists that is triggered during the handling of external links that were added with a '_blank' target attribute. This may allow a context-dependent attacker to disclose referer information. (CVE-2016-2190)

Solution

Upgrade to Moodle version 3.0.3 or later. If 3.0.x cannot be obtained, versions 2.9.5, 2.8.11, or 2.7.13 have also been patched for these issues.

See Also

https://docs.moodle.org/dev/Moodle_2.7.13_release_notes

https://docs.moodle.org/dev/Moodle_2.8.11_release_notes

https://docs.moodle.org/dev/Moodle_2.9.5_release_notes

https://docs.moodle.org/dev/Moodle_3.0.3_release_notes

Plugin Details

Severity: Medium

ID: 9194

Family: CGI

Published: 4/8/2016

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 3/8/2016

Vulnerability Publication Date: 3/8/2016

Reference Information

CVE: CVE-2016-2151, CVE-2016-2152, CVE-2016-2153, CVE-2016-2156, CVE-2016-2157, CVE-2016-2158, CVE-2016-2159, CVE-2016-2190