SB2017012016 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control (CVE-ID: CVE-2016-8642)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.

2) Improper access control (CVE-ID: CVE-2016-8643)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated user to manipulate data.

In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2016-8644)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/94441
• https://moodle.org/mod/forum/discuss.php?d=343275
• http://www.securityfocus.com/bid/94457
• https://moodle.org/mod/forum/discuss.php?d=343276
• http://www.securityfocus.com/bid/94458
• https://moodle.org/mod/forum/discuss.php?d=343277