Multiple vulnerabilities in moodle Moodle
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2012-1157 CVE-2012-1158 CVE-2012-1159 CVE-2012-1160 CVE-2012-1161 CVE-2012-1169 CVE-2012-1170 CVE-2012-1155 CVE-2012-1156 CVE-2012-1168 |
| CWE-ID | CWE-276 CWE-200 CWE-732 CWE-354 CWE-532 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Incorrect default permissions
EUVDB-ID: #VU30608
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1157
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2 has a default repository capabilities issue where all repositories are viewable by all users by default
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1157
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1157
http://moodle.org/mod/forum/discuss.php?d=198624
http://security-tracker.debian.org/tracker/CVE-2012-1157
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU30609
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1158
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2 has a course information leak in gradebook where users are able to see hidden grade items in export
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1158
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1158
http://moodle.org/mod/forum/discuss.php?d=198627
http://security-tracker.debian.org/tracker/CVE-2012-1158
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU30610
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1159
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2: Overview report allows users to see hidden courses
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1159
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1159
http://moodle.org/mod/forum/discuss.php?d=198628
http://security-tracker.debian.org/tracker/CVE-2012-1159
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Incorrect permission assignment for critical resource
EUVDB-ID: #VU30611
Risk: Low
CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1160
CWE-ID:
CWE-732 - Incorrect Permission Assignment for Critical Resource
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to manipulate data.
Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1160
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1160
http://moodle.org/mod/forum/discuss.php?d=198629
http://security-tracker.debian.org/tracker/CVE-2012-1160
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU30612
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1161
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Moodle before 2.2.2: Course information leak via hidden courses being displayed in tag search results
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1161
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1161
http://moodle.org/mod/forum/discuss.php?d=198630
http://security-tracker.debian.org/tracker/CVE-2012-1161
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU30613
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1169
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle before 2.2.2 has Personal information disclosure, when administrative setting users name display is set to first name only full names are shown in page breadcrumbs.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1169
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1169
http://moodle.org/mod/forum/discuss.php?d=198625
http://security-tracker.debian.org/tracker/CVE-2012-1169
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper validation of integrity check value
EUVDB-ID: #VU30614
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1170
CWE-ID:
CWE-354 - Improper Validation of Integrity Check Value
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
Moodle before 2.2.2 has an external enrolment plugin context check issue where capability checks are not thorough
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1170
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1170
http://moodle.org/mod/forum/discuss.php?d=198632
http://security-tracker.debian.org/tracker/CVE-2012-1170
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Information disclosure
EUVDB-ID: #VU30615
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1155
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle has a database activity export permission issue where the export function of the database activity module exports all entries even those from groups the user does not belong to
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1155
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1155
http://moodle.org/mod/forum/discuss.php?d=198621
http://security-tracker.debian.org/tracker/CVE-2012-1155
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU30616
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1156
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Moodle before 2.2.2 has users' private files included in course backups
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1156
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1156
http://moodle.org/mod/forum/discuss.php?d=198623
http://security-tracker.debian.org/tracker/CVE-2012-1156
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU30617
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2012-1168
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
Moodle before 2.2.2 has a password and web services issue where when the user profile is updated the user password is reset if not specified.
MitigationInstall update from vendor's website.
Vulnerable software versionsMoodle: 2.2.0 - 2.2.1
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1168
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1168
http://moodle.org/mod/forum/discuss.php?d=198622
http://security-tracker.debian.org/tracker/CVE-2012-1168
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
