SB2015120405 - Fedora EPEL 6 update for moodle

Description

This security bulletin contains information about 17 secuirty vulnerabilities.

1) Security Features (CVE-ID: CVE-2015-5331)

The vulnerability allows a remote authenticated user to manipulate data.

Moodle 2.9.x before 2.9.3 does not properly check the contact list before authorizing message transmission, which allows remote authenticated users to bypass intended access restrictions and conduct spam attacks via the messaging API.

2) Resource management error (CVE-ID: CVE-2015-5332)

The vulnerability allows a remote non-authenticated attacker to a crash the entire system.

Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.

3) Cross-site request forgery (CVE-ID: CVE-2015-5335)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

4) Cross-site scripting (CVE-ID: CVE-2015-5336)

The vulnerability allows a remote authenticated user to read and manipulate data.

Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.

5) Cross-site scripting (CVE-ID: CVE-2015-5337)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. The vulnerability allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Cross-site request forgery (CVE-ID: CVE-2015-5338)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and (1) mod/lesson/mediafile.php or (2) mod/lesson/view.

7) Information disclosure (CVE-ID: CVE-2015-5339)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.

8) Information disclosure (CVE-ID: CVE-2015-5340)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.

9) Information disclosure (CVE-ID: CVE-2015-5341)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.

10) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5342)

The vulnerability allows a remote authenticated user to manipulate data.

The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.

11) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5264)

The vulnerability allows a remote authenticated user to read and manipulate data.

The lesson module in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to bypass intended access restrictions and enter additional answer attempts by leveraging the student role.

12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5265)

The vulnerability allows a remote authenticated user to manipulate data.

The wiki component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 does not consider the mod/wiki:managefiles capability before authorizing file management, which allows remote authenticated users to delete arbitrary files by using a manage-files button in a text editor.

13) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5266)

The vulnerability allows a remote authenticated user to read and manipulate data.

The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote authenticated users to obtain manager privileges in opportunistic circumstances by leveraging incorrect role processing during a long-running sync script.

14) Information disclosure (CVE-ID: CVE-2015-5267)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the random_string and complex_random_string functions, which makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach.

15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-5272)

The vulnerability allows a remote authenticated user to manipulate data.

The Forum module in Moodle 2.7.x before 2.7.10 allows remote authenticated users to post to arbitrary groups by leveraging the teacher role, as demonstrated by a post directed to "all participants."

16) Information disclosure (CVE-ID: CVE-2015-5268)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The rating component in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 mishandles group-based authorization checks, which allows remote authenticated users to obtain sensitive information by reading a rating value.

17) Cross-site scripting (CVE-ID: CVE-2015-5269)

Vulnerability allows a remote attacker to perform XSS attacks.

The vulnerability is caused by an input validation error in group/overview.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-da771a002d