Permissions, Privileges, and Access Controls in Moodle - CVE-2013-1836
Published: March 25, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42957
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-1836
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: moodle.org
Affected software:
Moodle
Moodle
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access.
How to mitigate CVE-2013-1836
Install update from vendor's website.
Sources
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html
- http://openwall.com/lists/oss-security/2013/03/25/2
- https://moodle.org/mod/forum/discuss.php?d=225348