Multiple vulnerabilities in Moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2016-8642 CVE-2016-8643 CVE-2016-8644 |
| CWE-ID | CWE-284 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU39809
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8642
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
External linkshttp://www.securityfocus.com/bid/94441
http://moodle.org/mod/forum/discuss.php?d=343275
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU39810
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8643
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
External linkshttp://www.securityfocus.com/bid/94457
http://moodle.org/mod/forum/discuss.php?d=343276
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU39811
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-8644
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.8 - 3.1.2
External linkshttp://www.securityfocus.com/bid/94458
http://moodle.org/mod/forum/discuss.php?d=343277
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
