SB2014052114 - Fedora EPEL 6 update for moodle

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014052114

SB2014052114 - Fedora EPEL 6 update for moodle

Published: May 21, 2014 Updated: April 24, 2025

Security Bulletin ID SB2014052114
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Cross-site request forgery (CVE-ID: CVE-2014-0213)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.


2) Improper Authentication (CVE-ID: CVE-2014-0214)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

login/token.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 creates a MoodleMobile web-service token with an infinite lifetime, which makes it easier for remote attackers to hijack sessions via a brute-force attack.


3) Information disclosure (CVE-ID: CVE-2014-0215)

The vulnerability allows a remote #AU# to gain access to sensitive information.

The blind-marking implementation in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 allows remote authenticated users to de-anonymize student identities by (1) using a screen reader or (2) reading the HTML source.


4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0216)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.


5) Information disclosure (CVE-ID: CVE-2014-0217)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

enrol/index.php in Moodle 2.6.x before 2.6.3 does not check for the moodle/course:viewhiddencourses capability before listing hidden courses, which allows remote attackers to obtain sensitive name and summary information about these courses by leveraging the guest role and visiting a crafted URL.


6) Cross-site scripting (CVE-ID: CVE-2014-0218)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in the URL downloader repository in repository/url/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


Remediation

Install update from vendor's website.

References