SB20170314171 - Fedora EPEL 6 update for moodle

Security Bulletin ID SB20170314171

Severity

High

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2016-3729)

The vulnerability allows a remote authenticated user to manipulate data.

The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator.

2) Information disclosure (CVE-ID: CVE-2016-3731)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions.

3) Information disclosure (CVE-ID: CVE-2016-3732)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users.

4) Improper access control (CVE-ID: CVE-2016-3733)

The vulnerability allows a remote authenticated user to manipulate data.

The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber.

5) Cross-site request forgery (CVE-ID: CVE-2016-3734)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

6) Information disclosure (CVE-ID: CVE-2016-2151)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

user/index.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 grants excessive authorization on the basis of the moodle/course:viewhiddenuserfields capability, which allows remote authenticated users to discover student e-mail addresses by leveraging the teacher role and reading a Participants list.

7) Cross-site scripting (CVE-ID: CVE-2016-2152)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in auth/db/auth.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 when processing an external DB profile field. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

8) Cross-site scripting (CVE-ID: CVE-2016-2153)

Vulnerability allows a remote attacker to perform Cross-site scripting attacks.

An input validation error exists in the advanced-search feature in mod_data in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

9) Information disclosure (CVE-ID: CVE-2016-2154)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

admin/tool/monitor/lib.php in Event Monitor in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to discover hidden course names by subscribing to a rule.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-2155)

The vulnerability allows a remote authenticated user to manipulate data.

The grade-reporting feature in Singleview (aka Single View) in Moodle 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not consider the moodle/grade:manage capability, which allows remote authenticated users to modify "Exclude grade" settings by leveraging the Non-Editing Instructor role.

11) Information disclosure (CVE-ID: CVE-2016-2156)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.

12) Cross-site request forgery (CVE-ID: CVE-2016-2157)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

13) Information disclosure (CVE-ID: CVE-2016-2158)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

lib/ajax/getnavbranch.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3, when the forcelogin feature is enabled, allows remote attackers to obtain sensitive category-detail information from the navigation branch by leveraging the guest role for an Ajax request.

14) Improper access control (CVE-ID: CVE-2016-2159)

The vulnerability allows a remote authenticated user to manipulate data.

The save_submission function in mod/assign/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 allows remote authenticated users to bypass intended due-date restrictions by leveraging the student role for a web-service request.

15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-2190)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

16) Information disclosure (CVE-ID: CVE-2016-0724)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The (1) core_enrol_get_course_enrolment_methods and (2) enrol_self_get_instance_info web services in Moodle through 2.6.11, 2.7.x before 2.7.12, 2.8.x before 2.8.10, 2.9.x before 2.9.4, and 3.0.x before 3.0.2 do not consider the moodle/course:viewhiddencourses capability, which allows remote authenticated users to obtain sensitive information via a web-service request.

17) SQL injection (CVE-ID: CVE-2017-2641)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

18) Information disclosure (CVE-ID: CVE-2017-2643)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 3.2.x, global search displays user names for unauthenticated users.

19) Cross-site scripting (CVE-ID: CVE-2017-2644)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via evidence of prior learning. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

20) Cross-site scripting (CVE-ID: CVE-2017-2645)

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via attachments to evidence of prior learning. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-75190374ce

SB20170314171 - Fedora EPEL 6 update for moodle

Breakdown by Severity

Description

Remediation

References

Please verify you're human