Multiple vulnerabilities in Moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2013-2080 CVE-2013-2081 CVE-2013-2082 CVE-2013-2083 CVE-2013-2079 |
| CWE-ID | CWE-264 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42826
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-2080
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2 - 2.4.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.9:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
https://openwall.com/lists/oss-security/2013/05/21/1
https://moodle.org/mod/forum/discuss.php?d=228931
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42827
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-2081
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.1 - 2.4.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.9:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
https://openwall.com/lists/oss-security/2013/05/21/1
https://moodle.org/mod/forum/discuss.php?d=228933
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42828
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-2082
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.1 - 2.4.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.10:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
https://openwall.com/lists/oss-security/2013/05/21/1
https://moodle.org/mod/forum/discuss.php?d=228934
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU42829
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2013-2083
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.1 - 2.4.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
https://openwall.com/lists/oss-security/2013/05/21/1
https://moodle.org/mod/forum/discuss.php?d=228935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42830
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-2079
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.3 - 2.4.3
CPE2.3- cpe:2.3:a:moodle_org:moodle:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:2.4.2:*:*:*:*:*:*:*
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html
https://openwall.com/lists/oss-security/2013/05/21/1
https://moodle.org/mod/forum/discuss.php?d=228930
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
