SynopsisThe remote web server is hosting a web application that is vulnerable to multiple attack vectors.
DescriptionThe remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.7.x prior to 2.7.17 are affected by multiple vulnerabilities :
- A flaw exists in the question engine that may allow an authenticated remote attacker to download files embedded in questions from the system by guessing the URL of the file downloading it using the identifier of a question they are authorized to access.
- A flaw exists in an unspecified web service that may allow a non-administrative remote attacker to make changes to administrative information for other users.
- A flaw exists that is due to the program failing to properly perform capability checks on users who have site-wide permissions which were revoked within a specific course. This may allow an authenticated remote attacker to disclose course note information.
SolutionUpgrade to Moodle version 2.7.17 or later.