Detections
Analytics

Debian DSA-2421-1 : moodle - several vulnerabilities

medium Nessus Plugin ID 58172

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several security issues have been fixed in Moodle, a course management system for online learning :

 - CVE-2011-4308 / CVE-2012-0792 Rossiani Wijaya discovered an information leak in mod/forum/user.php.

 - CVE-2011-4584 MNet authentication didn't prevent a user using 'Login as' from jumping to a remove MNet SSO.

 - CVE-2011-4585 Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to 'true'.

 - CVE-2011-4586 David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module.

 - CVE-2011-4587 Stephen Mc Guiness discovered empty passwords could be entered in some circumstances.

 - CVE-2011-4588 Patrick McNeill discovered that IP address restrictions could be bypassed in MNet.

 - CVE-2012-0796 Simon Coggins discovered that additional information could be injected into mail headers.

 - CVE-2012-0795 John Ehringer discovered that email addresses were insufficiently validated.

 - CVE-2012-0794 Rajesh Taneja discovered that cookie encryption used a fixed key.

 - CVE-2012-0793 Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option 'forceloginforprofileimages' was introduced for that.

Solution

Upgrade the moodle packages.

For the stable distribution (squeeze), this problem has been fixed in version 1.9.9.dfsg2-2.1+squeeze3.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-4308

https://security-tracker.debian.org/tracker/CVE-2012-0792

https://security-tracker.debian.org/tracker/CVE-2011-4584

https://security-tracker.debian.org/tracker/CVE-2011-4585

https://security-tracker.debian.org/tracker/CVE-2011-4586

https://security-tracker.debian.org/tracker/CVE-2011-4587

https://security-tracker.debian.org/tracker/CVE-2011-4588

https://security-tracker.debian.org/tracker/CVE-2012-0796

https://security-tracker.debian.org/tracker/CVE-2012-0795

https://security-tracker.debian.org/tracker/CVE-2012-0794

https://security-tracker.debian.org/tracker/CVE-2012-0793

https://packages.debian.org/source/squeeze/moodle

https://www.debian.org/security/2012/dsa-2421

Plugin Details

Severity: Medium

ID: 58172

File Name: debian_DSA-2421.nasl

Version: 1.14

Type: local

Agent: unix

Published: 3/1/2012

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:moodle, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/29/2012

Reference Information

CVE: CVE-2011-4308, CVE-2011-4584, CVE-2011-4585, CVE-2011-4586, CVE-2011-4587, CVE-2011-4588, CVE-2012-0792, CVE-2012-0793, CVE-2012-0794, CVE-2012-0795, CVE-2012-0796

BID: 50283, 50923, 51450, 51840

DSA: 2421