SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Multiple Flaws Let Remote Users Conduct Cross-Site Scripting Attacks, Obtain Potentially Sensitive Information, and Bypass Security Restrictions
SecurityTracker Alert ID:  1032358
SecurityTracker URL:  http://securitytracker.com/id/1032358
CVE Reference:   CVE-2015-3174, CVE-2015-3175, CVE-2015-3176, CVE-2015-3177, CVE-2015-3178, CVE-2015-3179, CVE-2015-3180, CVE-2015-3181   (Links to External Site)
Date:  May 18 2015
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 2.6.11, 2.7.8, 2.8.6, 2.9
Description:   Multiple vulnerabilities were reported in Moodle. A remote user can conduct cross-site scripting attacks. A remote authenticated user can obtain potentially sensitive information. A remote user can bypass security controls on the target system.

The Quiz manual-grading function ('mod/quiz:grade') is not declared with an XSS mask [CVE-2015-3174].

A remote user can cause an error message to redirect to an external site [CVE-2015-3175].

A remote authenticated user with knowledge of the target user's username can retrieve the full name of target user [CVE-2015-3176]. Systems with self-registration enabled are affected.

A remote authenticated user can subscribe to site-wide event monitor rules [CVE-2015-3177]. Systems with site-wide rules in the event monitor tool are affected. Versions 2.8 to 2.8.5 are affected.

Text entered by student users via web services is not properly filtered before the input is displayed [CVE-2015-3178]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Moodle software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user with an account that has been created but suspended before confirmation can login a single time when confirming the account [CVE-2015-3179]. Systems with self-registration enabled are affected.

A remote authenticated user that is enrolled in a course but whose enrollment is suspended can see the course structure in the navigation block [CVE-2015-3180]

A remote authenticated user with the 'moodle/user:manageownfiles' capability revoked can upload private files via Web Services [CVE-2015-3181].

Hugh Davenport, Dingjie Yang, Federico Kirschbaum, Adrian Greeve, Eloy Lafuente, Marina Glancy, Alex Mitin, and Juan Leyva reported these vulnerabilities.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Moodle software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user can redirect the target user's browser to an arbitrary external site.

A remote authenticated user with a suspended account or revoked capability can bypass security restrictions to access certain functions.

A remote authenticated user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (2.6.11, 2.7.8, 2.8.6, 2.9).

The vendor's advisory is available at:

https://moodle.org/security/

Vendor URL:  moodle.org/security/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Moodle security advisories [vs]

Hello,

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
marina@moodle.com
+61894674167 | moodle.com
The world's open source learning platform


==============================================================================
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that

Description:       Leaving gradebook feedback is a trusted action and such
                   capabilities in other modules already have XSS mask,
                   'mod/quiz:grade' was missing this flag.
Issue summary:     Quiz manual-grading is an XSS risk, but does not declare
                   that
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Hugh Davenport
Issue no.:         MDL-49941
CVE identifier:    CVE-2015-3174
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941

==============================================================================
MSA-15-0019: Possible phishing when redirecting to external site using referer
header

Description:       Some error messages in Moodle display button to return to
                   previous page. Redirecting to non-local referer should not
                   be allowed as it can potentially be used for phising.
Issue summary:     get_referer() used with redirect() can be insecure
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Dingjie Yang
Issue no.:         MDL-49179
CVE identifier:    CVE-2015-3175
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179

==============================================================================
MSA-15-0020: User fullname disclosure through account confirmation link

Description:       On the sites with enabled self-registration not registered
                   users can retrieve fullname of registered users knowing
                   their usernames
Issue summary:     User fullname disclosure through account confirmation link
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Federico Kirschbaum
Issue no.:         MDL-50099
Workaround:        Even partial patch (removing one line in
                   /login/confirm.php) will also resolve security issue
CVE identifier:    CVE-2015-3176
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099

==============================================================================
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor
rules

Description:       If the site-wide rules exist in the event monitor tool, any
                   user can subscribe themselves to them and potentially
                   access information they are not supposed to see.
Issue summary:     Any authenticated user can subscribe to site wide event
                   monitor rules
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5
Versions fixed:    2.9 and 2.8.6
Reported by:       Adrian Greeve
Issue no.:         MDL-50039
Workaround:        Do not use site-wide rules until your site is upgraded
CVE identifier:    CVE-2015-3177
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039

==============================================================================
MSA-15-0022: Potential XSS risk when returning text entered by student from
Web Services

Description:       If user who is not XSS-trusted attempts to insert the XSS
                   as part of the input text, it will be cleaned when
                   displayed on Moodle website but may be displayed uncleaned
                   in the external application
Issue summary:     external_format_text() cleans and formats text incorrectly
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Eloy Lafuente
Issue no.:         MDL-49718
CVE identifier:    CVE-2015-3178
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718

==============================================================================
MSA-15-0023: Suspended user is able to login when confirming email

Description:       When self-registration is enabled and user's account was
                   suspended after creating account but before actually
                   confirming it, user is still able to login when confirming
                   email but only once.
Issue summary:     Suspended user is able to login when confirming email
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Marina Glancy
Issue no.:         MDL-50090
CVE identifier:    CVE-2015-3179
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090

==============================================================================
MSA-15-0024: User with suspended enrolment can see sections in the navigation
tree

Description:       If a user is enrolled in the course but his enrollment is
                   suspended, they can not access the course but still were
                   able to see course structure in the navigation block
Issue summary:     User with suspended enrolment can see sections in the
                   navigation tree
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Alex Mitin
Issue no.:         MDL-49788
CVE identifier:    CVE-2015-3180
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788

==============================================================================
MSA-15-0025:       Capability to manage own files is not respected in Web
Services

Description:       Users with the revoked capability
                   'moodle/user:manageownfiles' are still able to upload
                   private files using deprecated function in Web Services
Issue summary:     Users with the manageownfiles disabled are able to upload
                   private files via Web Services
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
                   unsupported versions
Versions fixed:    2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:       Juan Leyva
Issue no.:         MDL-49994
CVE identifier:    CVE-2015-3181
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994

==============================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC