CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
68.7%
Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.7, absence of a capability check in AJAX backend script in the LTI module could allow any enrolled user to search the list of registered tools (CVE-2015-0211). In Moodle before 2.6.7, the course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack (CVE-2015-0212). In Moodle before 2.6.7, two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery (CVE-2015-0213). In Moodle before 2.6.7, through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site (CVE-2015-0214). In Moodle before 2.6.7, through web-services it was possible to get information about calendar events which user did not have enough permissions to see (CVE-2015-0215). In Moodle before 2.6.7, non-optimal regular expression in the multimedia filter could be exploited to create extra server load or make particular page unavailable, resulting in a denial of service (CVE-2015-0217). In Moodle before 2.6.7, it was possible to forge a request to logout users even when not authenticated through Shibboleth (CVE-2015-0218).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 4 | noarch | moodle | < 2.6.7-1 | moodle-2.6.7-1.mga4 |
bugs.mageia.org/show_bug.cgi?id=15084
docs.moodle.org/dev/Moodle_2.6.7_release_notes
moodle.org/mod/forum/discuss.php?d=278176
moodle.org/mod/forum/discuss.php?d=278611
moodle.org/mod/forum/discuss.php?d=278612
moodle.org/mod/forum/discuss.php?d=278613
moodle.org/mod/forum/discuss.php?d=278614
moodle.org/mod/forum/discuss.php?d=278615
moodle.org/mod/forum/discuss.php?d=278617
moodle.org/mod/forum/discuss.php?d=278618