Multiple vulnerabilities in Moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2016-5012 CVE-2016-5013 CVE-2016-5014 |
| CWE-ID | CWE-200 CWE-74 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU39805
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5012
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 3.x, glossary search displays entries without checking user permissions to view them.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 3.1.0
External linkshttp://www.securityfocus.com/bid/92041
http://moodle.org/mod/forum/discuss.php?d=336697
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Neutralization of Special Elements in Output Used by a Downstream Component
EUVDB-ID: #VU39806
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5013
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.0
External linkshttp://www.securityfocus.com/bid/92040
http://moodle.org/mod/forum/discuss.php?d=336698
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU39807
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5014
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.0
External linkshttp://www.securityfocus.com/bid/92042
http://moodle.org/mod/forum/discuss.php?d=336699
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
