Credentials management in Moodle - CVE-2014-0008
Published: January 20, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU42135
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-0008
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: moodle.org
Affected software:
Moodle
Moodle
Detailed vulnerability description
The vulnerability allows a remote #AU# to gain access to sensitive information.
lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 logs cleartext passwords, which allows remote authenticated administrators to obtain sensitive information by reading the Config Changes Report.
How to mitigate CVE-2014-0008
Install update from vendor's website.
Sources
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721
- http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127533.html
- http://openwall.com/lists/oss-security/2014/01/20/1
- http://www.securitytracker.com/id/1029647
- https://moodle.org/mod/forum/discuss.php?d=252414