Moodle Multiple Vulnerabilities
Release Date : 2013-01-21
Criticality level : Moderately critical
Impact : Unknown
Cross Site Scripting
Exposure of sensitive information
Where: From remote
Solution Status : Vendor Patch
Software: Moodle 1.9.x
Multiple weaknesses, two security issues, and multiple vulnerabilities have been reported in Moodle, where one has an unknown impact and the others can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct spoofing and cross-site request forgery attacks and disclose potentially sensitive information.
1) An unspecified error exists in the spellchecker plugin for TinyMCE. No further information is currently available.
This vulnerability is reported in versions 2.4, 2.3 through 2.3.3+, 2.2 through 2.2.6+, and 2.1 through 2.1.9+.
2) The application does not properly verify capabilities when editing outcomes, which can be exploited to set outcomes to be a site-wide standard.
Successful exploitation of this security issue requires teacher permission.
This security issue is reported in versions 2.4, 2.3 through 2.3.3+, 2.2 through 2.2.6+, 2.1 through 2.1.9+, and 1.9 through 1.9.19.
3) Input passed via the "returnurl" parameter to multiple scripts is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
List of affected scripts:
This weakness is reported in versions 2.4, 2.3 through 2.3.3+, and 2.2 to 2.2.6+.
4) The application does not properly restrict access to the feedback comment viewing functionality, which can be exploited to view otherwise restricted feedback comments provided on other students' submissions.
Successful exploitation of this vulnerability requires student permission.
This vulnerability is reported in versions 2.4 and 2.3 through 2.3.3+.
5) The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. send course messages when a logged-in user visits a specially crafted web page.
6) The application does not properly restrict access to certain blog posts, which can be exploited to disclose contents of otherwise restricted blog posts via related RSS feeds.
The vulnerabilities #5 and #6 are reported in versions 2.4, 2.3 through 2.3.3+, and 2.2 to 2.2.6+.
7) The application does not properly verify capabilities when handling calendars, which can be exploited to delete a teacher created course level calendar subscription.
Successful exploitation of this security issue requires student permission.
This security issue is reported in version 2.4.
Update to version 2.4.1, 2.3.4, 2.2.7, 2.1.10, or 1.9.19+ weekly build (2012-12-20) or later.
Provided and/or discovered by:
The vendor credits:
1) Petr Skoda
2) Elena Ivanova
3) Simon Coggins
4) Dan Poltawski
5) Andrew Nicols
6) Charles Fulton
7) David O'Brien
Moodle (MSA-13-0001, MSA-13-0002, MSA-13-0005, MSA-13-0006, MSA-13-0007, MSA-13-0008, MSA-13-0010):
Was this reply helpful? (0) (0)