Main Vulnerability Database SB2017012424

SB2017012424 - Fedora 24 update for moodle

Published: January 24, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017012424

Severity

Medium

Patch available

YES

Number of vulnerabilities 5

Exploitation vector Remote access

Highest impact Data manipulation

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2016-8642)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

2) Improper access control (CVE-ID: CVE-2016-8643)

The vulnerability allows a remote authenticated user to manipulate data.

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-8644)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

4) Input validation error (CVE-ID: CVE-2017-2576)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.

5) Cross-site scripting (CVE-ID: CVE-2017-2578)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 3.x, there is XSS in the assignment submission page.

Install update from vendor's website.