Moodle 1.6.x < 1.6.9 / 1.7.x < 1.7.7 / 1.8.x < 1.8.8 / 1.9.x < 1.9.4 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 4924

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

The version of Moodle installed on the remote host is vulnerable to a number of flaws. First, the server is vulnerable to a cross-site scripting (XSS) flaw. An attacker exploiting this flaw would be able to execute arbitrary code within the browser of unsuspecting users. The remote host is vulnerable to a cross-site request forgery (CSRF) flaw that could allow remote users to execute commands on the behalf of logged in users. Finally, there are several information disclosure flaws that may allow an attacker the ability to gain access to confidential data.

Solution

Upgrade to version 1.6.9, 1.7.7, 1.8.8, 1.9.4 or higher.

See Also

http://moodle.org/security

Plugin Details

Severity: High

ID: 4924

File Name: 4924.prm

Family: CGI

Published: 2009/02/09

Modified: 2016/11/23

Dependencies: 8683

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2009/02/07

Vulnerability Publication Date: 2009/02/07

Reference Information

BID: 33610, 33612, 33613, 33615, 33617