Main Vulnerability Database Vulnerabilities #VU40268

Permissions, Privileges, and Access Controls in Moodle - CVE-2016-2190

Published: May 22, 2016 / Updated: August 9, 2020

Vulnerability identifier: #VU40268

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-2190

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: moodle.org

Affected software:
Moodle

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

How to mitigate CVE-2016-2190

Install update from vendor's website.

Sources

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
http://www.openwall.com/lists/oss-security/2016/03/21/1
http://www.securitytracker.com/id/1035333
https://moodle.org/mod/forum/discuss.php?d=330181

Permissions, Privileges, and Access Controls in Moodle - CVE-2016-2190

Detailed vulnerability description

How to mitigate CVE-2016-2190

Sources

Please verify you're human