Moodle 4.1.x < 4.1.18 Multiple Vulnerabilities

medium Web App Scanning Plugin ID 114894

Language:

Synopsis

Description

According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.18 or 4.3.x prior to 4.3.12 or 4.4.x prior to 4.4.8 or 4.5.x prior to 4.5.4. It is, therefore, affected by multiple vulnerabilities :

- Additional checks were required to ensure users can only fetch cohort data they are intended to have access to.

- Insufficient capability checks in a messaging web service made it possible to view other users' names and online status.

- Additional checks were required to prevent users deleting course sections they did not have permission to modify.

- The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.

- A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default this was only available to teachers and managers, on sites with the EQUELLA repository enabled.

- A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default this was only available to teachers and managers, on sites with the Dropbox repository enabled.

- Insufficient capability checks made it possible for a user enrolled in a course to access some details (full name and profile image URL) of other users they did not have permission to access.

- The analysis request action in the Brickfield tool did not include the necessary token to prevent a CSRF risk.

- A user's CSRF token was unnecessarily included in the URL on the database module's edit and delete pages.

- Insufficient capability checks made it possible to view RSS feed content a user does not have permission to access.

- The user tours duplicate tour action did not include the necessary token to prevent a CSRF risk.

- On sites with Multi-Factor Authentication enabled, it was possible to use course self enrolment after passing only the first login factor (such as passing a username/password check). The user should also have to pass a second login factor before gaining access to self enrolment.

- Additional capability checks were required to prevent teachers from being able to identify a user's anonymous assignment submissions via the submissions search.

- On sites with Multi-Factor Authentication enabled, it was possible for a user to access some of their data after passing only the first login factor (such as passing a username/password check). The user should have to also pass a second factor check before gaining access to that data.

- A missing check in the Multi-Factor Authentication email factor's revoke/cancel action could lead to a Denial of Service risk for users logging in who have email as their only available second factor. If exploited, the impacted user's name was disclosed.

- Insufficient sanitizing in an undocumented MimeTeX command resulted in a remote code execution risk for sites using MimeTeX (via the TeX Notation filter).

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.