Moodle 2.1.x < 2.1.6 / 2.2.x < 2.2.3 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 8715


The remote web server is hosting a web application that is vulnerable to multiple attack vectors.


The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.1.x prior to 2.1.6, or 2.2.x prior to 2.2.3 are exposed to the following vulnerabilities :

- An information disclosure flaw that allows remote authenticated users to obtain sensitive user information from hidden fields by leveraging the teacher role and navigating to "Enrolled users" under the Users Settings section. (MSA-12-0024 / CVE-2012-2353)

- A flaw that may lead to an unauthorized information disclosure. The issue is triggered by an error in the 'recent conversations' functionality, which may allow a remote attacker to gain access to other user's messages by manipulating URL parameters. (MSA-12-0025 / CVE-2012-2354)

- A permissions flaw that is triggered when the 'question:use' permissions are not properly checked when adding questions to a quiz. This may allow an attacker to add arbitrary questions to a quiz. (MSA-12-0026 / CVE-2012-2355)

- A flaw that is triggered by an error when handling access permissions in the question bank, which may allow a remote attacker to create arbitrary questions. (MSA-12-0027 / CVE-2012-2356)

- A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles. (MSA-12-0028 / CVE-2012-2357)

- A write access flaw that allows users to overwrite site-wide database activity presets created by other users. (MSA-12-0037 / CVE-2012-2366)


Upgrade to Moodle version 2.2.3. If your installation cannot be upgraded to 2.2.x, version 2.1.3 is also patched for these vulnerabilities.

See Also

Plugin Details

Severity: Medium

ID: 8715

Family: CGI

Published: 2015/04/20

Modified: 2016/02/05

Dependencies: 8690

Risk Information

Risk Factor: Medium


Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C


Base Score: 5.3

Temporal Score: 5


Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2012/05/14

Vulnerability Publication Date: 2012/05/21

Reference Information

CVE: CVE-2012-2353, CVE-2012-2354, CVE-2012-2355, CVE-2012-2356, CVE-2012-2357, CVE-2012-2366