Moodle vulnerabilities

Posted on Posted in Moodle

Decription: A list of new vulnerabilities have been announced by moodle developers

Changes:

  1. Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access. [CVE-2016-5014]
  2. By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker. [CVE-2016-5013]
  3. When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access [CVE-2016-5012]

Recommended action:

  1. Temporary prohibit users from editing their first and last names until the fix is applied
  2. Apply vendor issued code changes

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *