SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   Moodle Vendors:   moodle.org
Moodle Bugs Let Remote Users Access and Modify Data and Conduct Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1035902
SecurityTracker URL:  http://securitytracker.com/id/1035902
CVE Reference:   CVE-2016-3729, CVE-2016-3731, CVE-2016-3732, CVE-2016-3733, CVE-2016-3734   (Links to External Site)
Date:  May 17 2016
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 2.7.14, 2.8.12, 2.9.6, 3.0.4
Description:   Multiple vulnerabilities were reported in Moodle. A remote user can conduct cross-site request forgery attacks. A remote authenticated user can access data on the target system. A remote authenticated user can modify data on the target system.

A remote authenticated user can modify profile fields that have been locked by the administrator [CVE-2016-3729].

A remote user can determine forum names and sub-names [CVE-2016-3731]. Version 2.7.x is not affected.

A remote authenticated user can view badges of other users [CVE-2016-3732].

A remote authenticated teacher user can overwrite the course idnumber during a course restore [CVE-2016-3733].

A remote user can create a specially crafted HTML page or URL that, when loaded by the target authenticated user, will take actions on the target interface acting as the target user [CVE-2016-3734]. The 'markposts.php' page is affected.

Andrew Nicols, Donna Hrynkiw, Tim Hunt, Callum, and Vadim Dvorovenko reported these vulnerabilities.

Impact:   A remote user can take actions on the target system acting as the target authenticated user.

A remote authenticated user can obtain data on the target system.

A remote authenticated user can modify data on the target system.

Solution:   The vendor has issued a fix (2.7.14, 2.8.12, 2.9.6, 3.0.4).

The vendor's advisory is available at:

https://moodle.org/security/

Vendor URL:  moodle.org/security/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 17 May 2016 17:01:24 +0800
Subject:  [oss-security] Moodle security release 3.0.4, 2.9.6, 2.8.12, 2.7.14

The following security notifications have now been made public
following release of Moodle 3.0.4, 2.9.6, 2.8.12 and 2.7.14. Thanks to
OSS members for their cooperation.

==============================================================================
MSA-16-0013: Users are able to change profile fields that were locked by the
administrator

Description:       User editing form only disabled the profile fields in UI
                   and did not actually prevent users from editing them
Issue summary:     Tricky users can change locked profile fields
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Vadim Dvorovenko
Issue no.:         MDL-53954
CVE identifier:    CVE-2016-3729
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

==============================================================================
MSA-16-0015: Information disclosure of hidden forum names and sub-names.

Description:       Name of the inaccessible forum or forum discussion could be
                   disclosed as part of the error message on the subscription
                   page
Issue summary:     Information disclosure of hidden forum names and sub-names.
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed:    3.0.4, 2.9.6 and 2.8.12
Reported by:       Callum
Issue no.:         MDL-53696
CVE identifier:    CVE-2016-3731
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

==============================================================================
MSA-16-0016: User can view badges of other users without proper permissions

Description:       Capability check to view other badges was performed for the
                   current user instead for the user whose badges are being
                   viewed
Issue summary:     Badges code checks viewotherbadges capability in the wrong
                   context
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6 and 2.8.12
Reported by:       Tim Hunt
Issue no.:         MDL-53589
CVE identifier:    CVE-2016-3732
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

==============================================================================
MSA-16-0017: Course idnumber not protected from teacher restore

Description:       During the course restore teacher could overwrite idnumber
                   even without having the capability to change it
Issue summary:     Course idnumber not protected from teacher restore
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Donna Hrynkiw
Issue no.:         MDL-51369
CVE identifier:    CVE-2016-3733
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

==============================================================================
MSA-16-0018: CSRF in script marking forum posts as read

Description:       CSRF possible in the URL that marks forum posts as read
Issue summary:     Forum markposts.php missing sesskey check
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
                   and earlier unsupported versions
Versions fixed:    3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:       Andrew Nicols
Issue no.:         MDL-53755
CVE identifier:    CVE-2016-3734
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

==============================================================================

Marina Glancy
Development Process Manager
e: marina@moodle.com
p: +61 8 9467 4167 w: moodle.com
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC