Detections
Analytics
Moodle 3.9.x < 3.9.8 Multiple Vulnerabilities
critical Web App Scanning Plugin ID 113619
Language:
Synopsis
Moodle 3.9.x < 3.9.8 Multiple VulnerabilitiesDescription
The version of Moodle installed on the remote host is 3.9.x prior to 3.9.8, 3.10.x prior to 3.10.5 or 3.11.x prior to 3.11.1. It is, therefore, affected by multiple vulnerabilities:- An SQL injection in the library fetching a user's enrolled courses. (CVE-2021-36392)
- An SQL injection in the library fetching a user's recent courses. (CVE-2021-36393)
- A Remote Code Execution (RCE) in the Shibboleth authentication plugin, when enabled. (CVE-2021-36394)
- A recursion Denial of Service (DoS) in the file repository's URL parsing function. (CVE-2021-36395)
- A blind Server-Side Request Forgery (SSRF) due to an insufficient redirect handling, leading to the bypass of cURL blocked hosts and allowed ports restrictions. (CVE-2021-36396)
- An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to delete other user messages. (CVE-2021-36397)
- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the web service token list. (CVE-2021-36398)
- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the quiz override screens. (CVE-2021-36399)
- An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to remove other users calendar URL subscriptions. (CVE-2021-36400)
- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers exported in HTML data formats being read locally. (CVE-2021-36401)
- An improper input validation in user names of account confirmation emails leading leading to phishing risks. (CVE-2021-36402)
- An improper input validation when processing email notifications containing HTML, leading to phishing risks. (CVE-2021-36403)
Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.
Solution
Upgrade to version 3.9.8 or later.See Also
https://moodle.org/mod/forum/discuss.php?d=424797#p1710816
https://moodle.org/mod/forum/discuss.php?d=424798#p1710817
https://moodle.org/mod/forum/discuss.php?d=424799#p1710818
https://moodle.org/mod/forum/discuss.php?d=424801#p1710820
https://moodle.org/mod/forum/discuss.php?d=424802#p1710821
https://moodle.org/mod/forum/discuss.php?d=424803#p1710822
https://moodle.org/mod/forum/discuss.php?d=424804#p1710823
https://moodle.org/mod/forum/discuss.php?d=424805#p1710824
https://moodle.org/mod/forum/discuss.php?d=424806#p1710825
https://moodle.org/mod/forum/discuss.php?d=424807#p1710826
Plugin Details
Severity: Critical
ID: 113619
Type: remote
Family: Component Vulnerability
Published: 2/20/2023
Updated: 3/14/2023
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2021-36392
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2021-36392
Vulnerability Information
CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 7/19/2021
Vulnerability Publication Date: 7/19/2021
Reference Information
CVE: CVE-2021-36392, CVE-2021-36393, CVE-2021-36394, CVE-2021-36395, CVE-2021-36396, CVE-2021-36397, CVE-2021-36398, CVE-2021-36399, CVE-2021-36400, CVE-2021-36401, CVE-2021-36402, CVE-2021-36403
CWE: 20, 276, 384, 400, 610, 639, 674, 79, 89, 912, 918, 94
OWASP: 2010-A1, 2010-A2, 2010-A3, 2010-A4, 2010-A6, 2010-A8, 2013-A1, 2013-A2, 2013-A3, 2013-A4, 2013-A5, 2013-A7, 2013-A9, 2017-A1, 2017-A2, 2017-A5, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A10, 2021-A3, 2021-A6, 2021-A7
WASC: Application Misconfiguration, Cross-Site Scripting, Denial of Service, Improper Input Handling, Insufficient Authorization, OS Commanding, SQL Injection, Session Fixation
CAPEC: 10, 101, 104, 108, 109, 110, 120, 122, 13, 135, 136, 14, 147, 153, 182, 196, 197, 209, 21, 219, 22, 23, 230, 231, 233, 24, 242, 250, 261, 267, 28, 3, 31, 35, 39, 42, 43, 45, 46, 47, 470, 473, 492, 52, 53, 58, 588, 59, 591, 592, 60, 61, 63, 64, 66, 67, 7, 71, 72, 73, 77, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-000460, APSC-DV-000500, APSC-DV-002250, APSC-DV-002400, APSC-DV-002490, APSC-DV-002510, APSC-DV-002540, APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.2.1, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-IA-2(8), sp800_53-SC-5, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-3.2.1, 4.0.2-5.1.3, 4.0.2-5.2.5, 4.0.2-5.2.6, 4.0.2-5.3.3, 4.0.2-5.3.4
PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5, 3.2-6.5.1, 3.2-6.5.10, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9