SB2017071726 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 3 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-12157)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated user to gain access to sensitive information.

In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access.

2) Information disclosure (CVE-ID: CVE-2017-2642)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote authenticated user to gain access to sensitive information.

Moodle 3.x has user fullname disclosure on the user preferences page.

3) Improper Privilege Management (CVE-ID: CVE-2017-7532)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote authenticated user to manipulate data.

In Moodle 3.x, course creators are able to change system default settings for courses.

Remediation

Install update from vendor's website.

References

• http://www.securityfocus.com/bid/100848
• https://moodle.org/mod/forum/discuss.php?d=358586
• http://www.securityfocus.com/bid/99606
• https://moodle.org/mod/forum/discuss.php?d=355554
• http://www.securityfocus.com/bid/99617
• https://moodle.org/mod/forum/discuss.php?d=355556