SB2020092106 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 5 vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2020-25627)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via moodlenetprofile user profile field. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2020-25628)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed to the filter in the admin task log. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Improper Authorization (CVE-ID: CVE-2020-25629)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to an error within the "Log in as" feature. A remote user with "Log in as" capability in a course context (typically, course managers) can gain access to some site administration capabilities by "logging in as" a System manager.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-25630)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the decompressed size of zip files is not checked against available user quota before unzipping them in the file picker unzip functionality. A remote attacker trick the victim to unzip a large archive and perform a denial of service (DoS) attack.

5) Cross-site scripting (CVE-ID: CVE-2020-25631)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via a book's chapter title. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://moodle.org/mod/forum/discuss.php?d=410839
• https://moodle.org/mod/forum/discuss.php?d=410840
• https://moodle.org/mod/forum/discuss.php?d=410841
• https://moodle.org/mod/forum/discuss.php?d=410842
• https://moodle.org/mod/forum/discuss.php?d=410843