SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Multiple Flaws Let Remote Users Guess Password Recovery Tokens and Remote Authenticated Users Access Data, Delete Files, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1033619
SecurityTracker URL:  http://securitytracker.com/id/1033619
CVE Reference:   CVE-2015-5264, CVE-2015-5265, CVE-2015-5266, CVE-2015-5267, CVE-2015-5268, CVE-2015-5269, CVE-2015-5272   (Links to External Site)
Date:  Sep 21 2015
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 2.7.10, 2.8.8, 2.9.2
Description:   Multiple vulnerabilities were reported in Moodle. A remote user can guess password recovery tokens to gain access to the target user account. A remote authenticated user can delete files on the target system. A remote authenticated user can access data on the target system. A remote user can conduct cross-site scripting attacks.

A remote authenticated student user can re-attempt answering questions for completed and graded lesson activity [CVE-2015-5264].

A remote authenticated teacher user without accessallgroups can post to "all participants" and groups that they are not a member of [CVE-2015-5272]. Versions 2.7.x are affected.

A remote authenticated user can invoke the file manager to delete files that have been uploaded by other users in the wiki [CVE-2015-5265].

When a synchronization script takes a long time to complete, suspended students may be temporarily assigned a manager role in the meta course [CVE-2015-5266]. Large installations may be affected.

The system may generate password recovery tokens with insufficient randomization [CVE-2015-5267]. A remote user can guess the password recovery token to gain access to the target user account.

A remote authenticated user can view ratings for other groups [CVE-2015-5268].

The software does not properly filter HTML code from user-supplied input in the grouping description before displaying the input [CVE-2015-5269]. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Moodle software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Eric Eakin, David Scotson, John Provasnik, Brian Winstead, Vincent Herbulot (@us3r777), Juan Leyva, and Marina Glancy reported these vulnerabilities.

Impact:   A remote user can guess password recovery tokens to gain access to the target user account.

A remote authenticated user can delete files on the target system.

A remote authenticated user can access data on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Moodle software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fix (2.7.10, 2.8.8, 2.9.2).

The vendor's advisory is available at:

https://moodle.org/security/

Vendor URL:  moodle.org/security/ (Links to External Site)
Cause:   Access control error, Input validation error, Randomization error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] Moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
marina@moodle.com
+61894674167 | moodle.com
The world's open source learning platform

==============================================================================
MSA-15-0030: Students can re-attempt answering questions in the lesson

Description:       Completed and graded lesson activity was not protected
                   against making new attempt to answer some questions
Issue summary:     Students can re-attempt answering questions in the lesson
Severity/Risk:     Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       Eric Eakin
Issue no.:         MDL-50516
CVE identifier:    CVE-2015-5264
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516

==============================================================================
MSA-15-0031: Teacher in forum can still post to "all participants" and groups
they are not members of

Description:       Group access is not properly checked when posting to "all
                   participants" in forum
Issue summary:     Teacher without accessallgroups can still post to "all
                   participants" and groups they're not members of
Severity/Risk:     Minor
Versions affected: 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:    2.7.10
Reported by:       David Scotson
Issue no.:         MDL-50576
CVE identifier:    CVE-2015-5272
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576

==============================================================================
MSA-15-0032: Users can delete files uploaded by other users in wiki

Description:       Users can delete files uploaded by other users in wiki
                   without capability to manage files
Issue summary:     Disable free access to the file manager in the wiki via the
                   text editor.
Severity/Risk:     Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       John Provasnik
Issue no.:         MDL-48371
CVE identifier:    CVE-2015-5265
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371

==============================================================================
MSA-15-0033: Meta course synchronisation enrols suspended students as managers
for a short period of time

Description:       On large installations, when sync script takes a long time,
                   suspended students may get assigned a manager role in meta
                   course for several minutes
Issue summary:     Meta course sync enroling suspended students as managers
                   and causing large database growth
Severity/Risk:     Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       Brian Winstead
Issue no.:         MDL-50744
CVE identifier:    CVE-2015-5266
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744

==============================================================================
MSA-15-0034: Vulnerability in password recovery mechanism

Description:       Password recovery token can be guessed because of php
                   randomisation limitations
Issue summary:     Vulnerability in password recovery mechanism
Severity/Risk:     Serious
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       Vincent Herbulot (@us3r777)
Issue no.:         MDL-50860
CVE identifier:    CVE-2015-5267
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860

==============================================================================
MSA-15-0035: Rating component does not check separate groups

Description:       When viewing ratings the group access was not properly
                   checked allowing users from other groups to view ratings
Issue summary:     Rating component does not check separate groups
Severity/Risk:     Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       Juan Leyva
Issue no.:         MDL-50173
CVE identifier:    CVE-2015-5268
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173

==============================================================================
MSA-15-0036: XSS in grouping description

Description:       Capability to manage groups does not have XSS risk, however
                   it was possible to add XSS to the grouping description
Issue summary:     XSS in grouping description
Severity/Risk:     Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
                   unsupported versions
Versions fixed:    2.9.2, 2.8.8 and 2.7.10
Reported by:       Marina Glancy
Issue no.:         MDL-50709
CVE identifier:    CVE-2015-5269
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709

==============================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC