calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.

Moodle, an open-source course management system, installed on the remote host is version 2.7.x prior to 2.7.13, 2.8.x prior to 2.8.11, or 2.9.x prior to 2.9.5, or 3.0.x prior to 3.0.3, and is affected by multiple vulnerabilities :

 - A flaw exists in 'user/index.php' related to an improper capability check when displaying emails for students in a participants list.  This may allow an authenticated, remote attacker to gain knowledge of participants' email addresses. (CVE-2016-2151)
 - A flaw exists that allows a stored cross-site scripting (XSS) attack.  This flaw exists because the external database does not validate input to the profile fields before returning it to users.  This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2016-2152)
 - A flaw exists that allows a reflected cross-site scripting (XSS) attack.  This flaw exists because the program does not validate input to the 'mod_data' advanced search before returning it to users.  This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2016-2153)
 - A flaw exists as HTTP requests to 'mod/assign/adminmanageplugins.php' do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions.  By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to make changes to plugins. (CVE-2016-2157)
 - A flaw exists in the 'lib/ajax/getnavbranch.php' script that may allow an unauthenticated remote attacker to enumerate category details. (CVE-2016-2158)
 - A flaw exists in the 'get_calendar_events()' function in the 'calendar/externallib.php' script that may allow an authenticated, remote attacker to disclose events that pertain to hidden activities. (CVE-2016-2156)
 - A flaw exists in the 'mod_assign_save_submission()' function in the 'mod/assign/externallib.php' script that is triggered as due dates are not properly checked.  This may allow a remote attacker to add assignment submissions after the specified due date. (CVE-2016-2159)
 - A flaw exists that is triggered during the handling of external links that were added with a '_blank' target attribute.  This may allow a context-dependent attacker to disclose referer information. (CVE-2016-2190)

Marina Glancy reports :

- MSA-16-0003: Incorrect capability check when displaying users emails in Participants list

- MSA-16-0004: XSS from profile fields from external db

- MSA-16-0005: Reflected XSS in mod_data advanced search

- MSA-16-0006: Hidden courses are shown to students in Event Monitor

- MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View

- MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities

- MSA-16-0009: CSRF in Assignment plugin management page

- MSA-16-0010: Enumeration of category details possible without authentication

- MSA-16-0011: Add no referrer to links with _blank target attribute

- MSA-16-0012: External function mod_assign_save_submission does not check due dates

Multiple CVEs

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

3.0.3.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
9194	Moodle < 2.7.13 / 2.8.x < 2.8.11 / 2.9.x < 2.9.5 / 3.0.x < 3.0.3 Multiple Vulnerabilities	Nessus Network Monitor	CGI	medium
90337	FreeBSD : moodle -- multiple vulnerabilities (a430e15d-f93f-11e5-92ce-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
90257	Fedora 22 : moodle-2.8.11-1.fc22 (2016-b91d895e5a)	Nessus	Fedora Local Security Checks	high
90256	Fedora 23 : moodle-2.9.5-1.fc23 (2016-403715aaec)	Nessus	Fedora Local Security Checks	high
90218	Fedora 24 : moodle-3.0.3-1.fc24 (2016-9b591e1952)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2016-2156

medium

Tenable Plugins

medium

high

high

high

high