Fedora EPEL 7 update for moodle
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2016-8642 CVE-2016-8643 CVE-2016-8644 CVE-2017-2576 CVE-2017-2578 |
| CWE-ID | CWE-284 CWE-264 CWE-20 CWE-79 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system moodle Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU39809
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-8642
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the question engine allows access to files that should not be available.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
moodle: before 3.1.4-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b498a4859e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU39810
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-8643
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to manipulate data.
In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
moodle: before 3.1.4-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b498a4859e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU39811
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-8644
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Moodle 2.x and 3.x, the capability to view course notes is checked in the wrong context.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
moodle: before 3.1.4-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b498a4859e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU39812
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-2576
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
In Moodle 2.x and 3.x, there is incorrect sanitization of attributes in forums.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
moodle: before 3.1.4-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b498a4859e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site scripting
EUVDB-ID: #VU39813
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-2578
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
In Moodle 3.x, there is XSS in the assignment submission page.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 7
moodle: before 3.1.4-1.el7
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-b498a4859e
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
