Main Vulnerability Database Vulnerabilities #VU43875

#VU43875 Permissions, Privileges, and Access Controls in Moodle - CVE-2011-4288

Published: July 16, 2012 / Updated: August 11, 2020

Vulnerability identifier: #VU43875

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2011-4288

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Moodle

Software vendor:
moodle.org

Description

The vulnerability allows a remote #AU# to gain access to sensitive information.

Moodle 1.9.x before 1.9.12 and 2.0.x before 2.0.3 does not properly implement associations between teachers and groups, which allows remote authenticated users to read quiz reports of arbitrary students by leveraging the teacher role.

Remediation

Install update from vendor's website.

External links

http://git.moodle.org/gw?p=moodle.git;a=commit;h=79c6e3a0968ee1fedcf8a1f14f8086fcd9dbd3f6
http://moodle.org/mod/forum/discuss.php?d=175590
http://openwall.com/lists/oss-security/2011/11/14/1