Moodle < 2.4 / 2.4.x < 2.4.11 / 2.5.x < 2.5.7 / 2.6.x < 2.6.4 / 2.7.x < 2.7.1 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 8723

Synopsis

The remote web server is hosting a web application that is vulnerable to multiple attack vectors.

Description

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.4.x prior to 2.4.11, 2.5.x prior to 2.5.7, 2.6.x prior to 2.6.4, 2.7.x prior to 2.7.1, and all previous releases are exposed to the following vulnerabilities :

- The Repositories component allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data defined by add-ons that could include malicious code. (MSA-14-0021 / CVE-2014-3541)

- An XML external entity (XXE) remote file disclosure flaw exists in the LTI module. Specifically, it is possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files. (MSA-14-0022 / CVE-2014-3542)

- An XML external entity (XXE) remote file disclosure flaw affects IMSCC and IMSCP modules in Moodle. Specifically, it is possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files. (MSA-14-0023 / CVE-2014-3543)

- A remote code execution vulnerability exists in the Quiz system. It is possible to inject code into Calculated questions that would be executed on the server. (MSA-14-0025 / CVE-2014-3545)

- An information disclosure flaw exists in the script '/user/edit.php' that is triggered by manipulating the URL. An authenticated remote attacker could exploit this to get limited user information, such as user name and courses. (MSA-14-0026 / CVE-2014-3546)

- An error in forum permissions was allowing users who were members of more than one group to post to all groups without the capability to access all groups. (MSA-14-0027 / CVE-2014-3553)

- A reflected cross-site scripting (XSS) vulnerability exists due to the content of exception dialogues presented from AJAX calls was not being escaped before being presented to users. (MSA-14-0029 / CVE-2014-3548)

- Multiple cross-site scripting (XSS) vulnerabilities affect the advanced-grading implementation that could allow remote authenticated users to inject arbitrary web script or HTML via a specially crafted 'qualification' or 'rating' field in a rubric. (MSA-14-0032 / CVE-2014-3551)

- A cross-site scripting (XSS) vulnerability exists in 'user/profile.php' that allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. Exploits for this XSS vulnerability are publicly available. (MSA-14-0024 / CVE-2014-3544)

Solution

Upgrade to Moodle version 2.7.1 or later. If your installation cannot be upgraded to 2.7.x, versions 2.6.4, 2.5.7 and 2.4.11 are also patched for these vulnerabilities.

See Also

http://moodle.org/security

http://www.nessus.org/u?b583ff8b

http://www.nessus.org/u?58c9c420

http://www.nessus.org/u?f84359cc

http://www.nessus.org/u?24af9411

http://openwall.com/lists/oss-security/2014/07/21/1

Plugin Details

Severity: High

ID: 8723

Family: CGI

Published: 2015/04/20

Modified: 2016/01/15

Dependencies: 8690

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.3

Temporal Score: 7

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:moodle:moodle

Patch Publication Date: 2014/07/14

Vulnerability Publication Date: 2014/07/21

Reference Information

CVE: CVE-2014-3541, CVE-2014-3542, CVE-2014-3543, CVE-2014-3545, CVE-2014-3546, CVE-2014-3553, CVE-2014-3548, CVE-2014-3551, CVE-2014-3544

BID: 68722, 68754, 68755, 68756, 68763, 68766, 68773, 68774, 68778