SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Bugs Let Remote Authenticated Users Obtain Potentially Sensitive Information and Bypass Security Restrictions and Remote Users Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1035333
SecurityTracker URL:  http://securitytracker.com/id/1035333
CVE Reference:   CVE-2016-2151, CVE-2016-2152, CVE-2016-2153, CVE-2016-2154, CVE-2016-2155, CVE-2016-2156, CVE-2016-2157, CVE-2016-2158, CVE-2016-2159, CVE-2016-2190   (Links to External Site)
Date:  Mar 21 2016
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 2.7.13, 2.8.11, 2.9.5, 3.0.3
Description:   Multiple vulnerabilities were reported in Moodle. A remote user can conduct cross-site request forgery attacks. A remote authenticated user can obtain potentially sensitive information on the target system. A remote authenticated user can bypass security restrictions. A remote user can conduct cross-site scripting attacks.

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Moodle software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Profile fields from external databases are affected [CVE-2016-2152].

The mod_data advanced search function is affected [CVE-2016-2153].

A remote authenticated teacher can exploit a flaw in Participants list to view student email addresses [CVE-2016-2151].

A remote authenticated user that can subscribe to Event Monitor rules can view the names of hidden courses [CVE-2016-2154]. Versions 2.7.x are not affected.

A remote authenticated non-editing instructor user can exploit a flaw in the Single View grade report to edit the exclude checkbox and gain elevated privileges [CVE-2016-2155]. Versions 2.7.x are not affected.

A remote authenticated user can exploit a flaw in get_calendar_events() to view hidden activities [CVE-2016-2156].

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will exploit a flaw in the Assignment plugin management page to take actions on the target interface acting as the target user [CVE-2016-2157].

A remote user can enumerate category details [CVE-2016-2158].

A remote user may be able to view an HTTP referer link when the target user loads a link that has a '_blank' target attribute [CVE-2016-2190].

A remote authenticated student user can exploit a flaw in mod_assign_save_submission() to add assignment submissions after the due date [CVE-2016-2159].

Matt Jenner, Jay Knight, Ian Song, Roger, Mark McKay, Juan Leyva, Paul Holden, Krista Koivisto, and Hugh Davenport reported these vulnerabilities.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote authenticated user can obtain potentially sensitive information on the target system.

A remote authenticated user can bypass security controls on the target system.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Moodle software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fix (2.7.13, 2.8.11, 2.9.5, 3.0.3).

The vendor's advisories are available at:

https://moodle.org/security/

Vendor URL:  moodle.org/security/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [oss-security] moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
e: marina@moodle.com
p: +61 8 9467 4167 w: moodle.com

==============================================================================
MSA-16-0003: Incorrect capability check when displaying users emails in
Participants list

Description:       Teachers who otherwise were not supposed to see students'
                   emails could see them in the participants list
Issue summary:     Incorrect capability check when displaying users emails in
                   Participants list
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Matt Jenner
Issue no.:         MDL-52433
CVE identifier:    CVE-2016-2151
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433

==============================================================================
MSA-16-0004: XSS from profile fields from external db

Description:       Moodle traditionally trusted content from external DB
                   however it was decided that external datasources may not be
                   aware of web security practices and data could cause
                   problems after importing to Moodle
Issue summary:     XSS from profile fields from external db
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Jay Knight
Issue no.:         MDL-50705
CVE identifier:    CVE-2016-2152
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705

==============================================================================
MSA-16-0005: Reflected XSS in mod_data advanced search

Description:       User with higher permissions could be tricked into clicking
                   a link which would result in XSS attack
Issue summary:     Reflected XSS in mod_data advanced search
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Ian Song
Issue no.:         MDL-52727
Workaround:        Educate staff to always use only modern browsers that block
                   such attacks by default
CVE identifier:    CVE-2016-2153
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727

==============================================================================
MSA-16-0006: Hidden courses are shown to students in Event Monitor

Description:       Users without capability to view hidden courses but with
                   capability to subscribe to Event Monitor rules could see
                   the names of hidden courses
Issue summary:     Hidden courses are shown to students in Event Monitor
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:    3.0.3, 2.9.5 and 2.8.11
Reported by:       Roger
Issue no.:         MDL-51167
Workaround:        Revoke capability to subscribe to Event Monitor rules from
                   regular users
CVE identifier:    CVE-2016-2154
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167

==============================================================================
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single
View

Description:       Incorrect capability check in Single View grade report
                   could result in giving a teacher extra permission
Issue summary:     Non-Editing Instructor role can edit exclude checkbox in
                   Single View
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:    3.0.3, 2.9.5 and 2.8.11
Reported by:       Mark McKay
Issue no.:         MDL-52378
CVE identifier:    CVE-2016-2155
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378

==============================================================================
MSA-16-0008: External function get_calendar_events return events that pertains
to hidden activities

Description:       Users without capability to view hidden acitivites could
                   still see associated calendar events via web services
Issue summary:     External function get_calendar_events return events that
                   pertains to hidden activities
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Juan Leyva
Issue no.:         MDL-52808
CVE identifier:    CVE-2016-2156
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808

==============================================================================
MSA-16-0009: CSRF in Assignment plugin management page

Description:       CSRF possible on admin page, however exploit unlikely
                   benefit anybody and can easily be reversed
Issue summary:     CSRF in Assignment plugin management page
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Paul Holden
Issue no.:         MDL-53031
CVE identifier:    CVE-2016-2157
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031

==============================================================================
MSA-16-0010: Enumeration of category details possible without authentication

Description:       Despite force login setting guests could still access
                   course category details
Issue summary:     Enumeration of category details possible without
                   authentication
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Krista Koivisto
Issue no.:         MDL-52774
CVE identifier:    CVE-2016-2158
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774

==============================================================================
MSA-16-0011: Add no referrer to links with _blank target attribute

Description:       Improve security when following external links that were
                   added with _blank target
Issue summary:     Add no referrer to links with _blank target attribute
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Hugh Davenport
Issue no.:         MDL-52651
CVE identifier:    CVE-2016-2190
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651

==============================================================================
MSA-16-0012: External function mod_assign_save_submission does not check due
dates

Description:       Students were able to add assignment submissions after the
                   due date through web service
Issue summary:     External function mod_assign_save_submission does not check
                   due dates
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Juan Leyva
Issue no.:         MDL-52901
CVE identifier:    CVE-2016-2159
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901

==============================================================================
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC