SB2017071726 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-12157)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

2) Information disclosure (CVE-ID: CVE-2017-2642)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Moodle 3.x has user fullname disclosure on the user preferences page.

3) Improper Privilege Management (CVE-ID: CVE-2017-7532)

The vulnerability allows a remote authenticated user to manipulate data.

In Moodle 3.x, course creators are able to change system default settings for courses.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/100848
• https://moodle.org/mod/forum/discuss.php?d=358586
• http://www.securityfocus.com/bid/99606
• https://moodle.org/mod/forum/discuss.php?d=355554
• http://www.securityfocus.com/bid/99617
• https://moodle.org/mod/forum/discuss.php?d=355556