Multiple Vulnerabilities in Moodle

Posted on Posted in Moodle

Description: A list of new vulnerabilities have been announced by moodle developers:

  • HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it [CVE-2017-2578]
  • Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty. [CVE-2016-10045 (PHPMailer)]
  • Forum post author can change too many fields when editing the post [CVE-2017-2576]
  • It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode. [-]


  • XSS in assignment submission page
  • Address the vulnerabilities in recent PHPMailer 5.2.x
  • Incorrect sanitation of attributes
  • System file inclusion when adding own preset file (Boost theme)

Recommended action:

  • Define $CFG->noreplyaddress and $CFG->supportemail in config.php
  • Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied
  • Apply vendor issued code changes

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *