SB2017012014 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2016-5012)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 3.x, glossary search displays entries without checking user permissions to view them.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2016-5013)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.

3) Information disclosure (CVE-ID: CVE-2016-5014)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/92041
• https://moodle.org/mod/forum/discuss.php?d=336697
• http://www.securityfocus.com/bid/92040
• https://moodle.org/mod/forum/discuss.php?d=336698
• http://www.securityfocus.com/bid/92042
• https://moodle.org/mod/forum/discuss.php?d=336699