SB2013012801 - Multiple vulnerabilities in Moodle
Published: January 28, 2013 Updated: January 16, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2012-6104)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed.
2) Information disclosure (CVE-ID: CVE-2012-6105)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-6106)
The vulnerability allows a remote #AU# to manipulate or delete data.
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-6098)
The vulnerability allows a remote #AU# to manipulate data.
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.
5) Input validation error (CVE-ID: CVE-2012-6099)
The vulnerability allows a remote #AU# to gain access to sensitive information.
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.
6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-6100)
The vulnerability allows a remote #AU# to gain access to sensitive information.
report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/user:viewhiddendetails capability requirement, which allows remote authenticated users to discover a hidden lastaccess value by reading an activity report.
7) Input validation error (CVE-ID: CVE-2012-6101)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-6102)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI.
9) Cross-site request forgery (CVE-ID: CVE-2012-6103)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
Remediation
Install update from vendor's website.
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36620
- http://openwall.com/lists/oss-security/2013/01/21/1
- https://moodle.org/mod/forum/discuss.php?d=220165
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37467
- https://moodle.org/mod/forum/discuss.php?d=220166
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37106
- https://moodle.org/mod/forum/discuss.php?d=220167
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619
- https://moodle.org/mod/forum/discuss.php?d=220158
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
- https://moodle.org/mod/forum/discuss.php?d=220160
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33340
- https://moodle.org/mod/forum/discuss.php?d=220161
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35991
- https://moodle.org/mod/forum/discuss.php?d=220162
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37244
- https://moodle.org/mod/forum/discuss.php?d=220163
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36600
- https://moodle.org/mod/forum/discuss.php?d=220164