SB2013052509 - Multiple vulnerabilities in Moodle
Published: May 25, 2013 Updated: August 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-2080)
The vulnerability allows a remote #AU# to gain access to sensitive information.
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-2081)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-2082)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request.
4) Input validation error (CVE-ID: CVE-2013-2083)
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-2079)
The vulnerability allows a remote #AU# to gain access to sensitive information.
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role.
Remediation
Install update from vendor's website.
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
- http://openwall.com/lists/oss-security/2013/05/21/1
- https://moodle.org/mod/forum/discuss.php?d=228931
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822
- https://moodle.org/mod/forum/discuss.php?d=228933
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245
- https://moodle.org/mod/forum/discuss.php?d=228934
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885
- https://moodle.org/mod/forum/discuss.php?d=228935
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
- https://moodle.org/mod/forum/discuss.php?d=228930