#VU30611 Incorrect permission assignment for critical resource in Moodle


Published: 2019-11-14 | Updated: 2020-07-17

Vulnerability identifier: #VU30611

Vulnerability risk: Low

CVSSv3.1: 2.4 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2012-1160

CWE-ID: CWE-732

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Moodle
Web applications / Other software

Vendor: moodle.org

Description

The vulnerability allows a remote privileged user to manipulate data.

Moodle before 2.2.2 has a permission issue in Forum Subscriptions where unenrolled users can subscribe/unsubscribe via mod/forum/index.php

Mitigation
Install update from vendor's website.

Vulnerable software versions

Moodle: 2.2.0 - 2.2.1

External links
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077635.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078209.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078210.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080712.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081047.html
http://access.redhat.com/security/cve/cve-2012-1160
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1160
http://moodle.org/mod/forum/discuss.php?d=198629
http://security-tracker.debian.org/tracker/CVE-2012-1160

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in moodle Moodle
Fedora EPEL 6 update for moodle