Moodle < 2.5 / 2.5.x < 2.5.9 / 2.6.x < 2.6.6 / 2.7.x < 2.7.3 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8721


The remote web server is hosting a web application that is vulnerable to multiple attack vectors.


The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.5.x prior to 2.5.9, 2.6.x prior to 2.6.6, 2.7.x prior to 2.7.3, and all previous releases are exposed to the following vulnerabilities :

- A cross-site scripting (XSS) vulnerability affects the script 'lib/setup.php'. Specifically, without forcing encoding, it was possible that UTF7 characters could be used to force cross-site script to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages). (MSA-14-0035 / CVE-2014-9059)

- A cross-site scripting (XSS) vulnerability exists in the Feedback module. This occurs because the last search string was not escaped in the search input field. Specifically, this affects the '$searchcourse' parameter in the script 'mod/feedback/mapcourse.php'. (MSA-14-0036 / CVE-2014-7830)

- The temporary password generation function 'generate_password()' uses an unreasonably short list of possible words to create temporary passwords. (MSA-14-0037 / CVE-2014-7845)

- A security bypass flaw exists in 'mod/lti/launch.php' which performs access control at the course level rather than at the activity level. This could allow remote authenticated users to bypass the 'mod/lti:view' capability requirement by viewing an activity instance. (MSA-14-0039 / CVE-2014-7832)

- An information disclosure flaw affects 'mod/data/edit.php' because the script sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. (MSA-14-0040 / CVE-2014-7833)

- An access control flaw exists in 'tag/tag_autocomplete.php' because the script does not consider the 'moodle/tag:edit' capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. (MSA-14-0041 / CVE-2014-7846)

- A denial of service vulnerability exists in the Geo-Map script, 'iplookup/index.php'. Specifically, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties. (MSA-14-0042 / CVE-2014-7847)

- Multiple cross-site request forgery (CSRF) vulnerabilities affect the LTI module that allow remote attackers to hijack the authentication of arbitrary users to make a request. Specifically, these flaws exist in 'mod/lti/request_tool.php' and 'mod/lti/instructor_edit_tool_type.php'. (MSA-14-0046 / CVE-2014-7836)

- A security-bypass vulnerability exists within the script 'mod/wiki/admin.php' because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to delete pages in other Wiki pages by manipulating URLs. (MSA-14-0047 / CVE-2014-7837)

- A cross-site request forgery (CSRF) flaw affects the forum tracking toggle function because it lacks a session key check. Specifically, this affects the script 'mod/forum/settracking.php'. (MSA-14-0048 / CVE-2014-7838)

- A flaw exists that could allow a remote attacker to print arbitrary messages to a user session through modifying the URL query string. Specifically, this affects the script 'mod/lti/return.php' when loading the LTI module return page. (MSA-14-0049 / CVE-2014-9060)


Upgrade to Moodle version 2.8 or later. If your installation cannot be upgraded to 2.8.x, versions 2.5.9, 2.6.6, and 2.7.3 are also patched for these vulnerabilities.

See Also

Plugin Details

Severity: High

ID: 8721

Family: CGI

Published: 2015/04/20

Modified: 2018/09/16

Dependencies: 8690

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C


Base Score: 7.3

Temporal Score: 7


Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2014/11/10

Vulnerability Publication Date: 2014/11/17

Reference Information

CVE: CVE-2014-7830, CVE-2014-7832, CVE-2014-7833, CVE-2014-7836, CVE-2014-7837, CVE-2014-7838, CVE-2014-7845, CVE-2014-7846, CVE-2014-7847, CVE-2014-9059, CVE-2014-9060

BID: 71119, 71120, 71121, 71122, 71124, 71125, 71128, 71130, 71132, 71133, 71134, 72672