Moodle multiple vulnerabilities

Posted on Posted in Moodle

Description: A list of new vulnerabilities have been announced by moodle developers

Vulnerabilities:

  • Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions [CVE-2017-2645]
  • Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence [CVE-2017-2644]
  • Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed) [CVE-2017-2643]
  • PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services. [CVE-2017-2641]

Impact

  • XSS in attachments to evidence of prior learning
  • XSS in evidence of prior learning
  • Global search display user names, for unauthenticated user search
  • Remote Code Execution @ 3.2.1

Recommended action: Apply code changes to fix the issues

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *