Tenable9403.PRMMoodle 2.0.x < 2.0.10 Multiple Vulnerabilities
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
EPSS
Percentile
77.0%
The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.0.x prior to 2.0.10 are exposed to the following vulnerabilities :
- A flaw exists that is triggered when the program fails to properly restrict access to files embedded by a block. This may allow a remote attacker to bypass access restrictions and gain access to arbitrary files. (CVE-2012-3390)
- A flaw exists that is triggered when a user is redirected from the login screen when utilizing LDAP via the ‘redirect()’ function. This issue causes a redirect from the HTTPS protocol to HTTP, which may make it easier for an attacker to gain access to sensitive information. (CVE-2012-3394)
- A flaw exists that may allow an attacker to carry out an SQL injection attack. The issue is due to the program not properly sanitizing user-supplied input passed via the Feedback module before using it in SQL queries. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. (CVE-2012-3395)
- A flaw exists that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via certain unspecified fields when administrating cohorts before returning it to the user. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server. (CVE-2012-3396)
- A flaw exists that may lead to an unauthorized information disclosure. The issue is triggered when the Restrict Access conditions improperly overwrite group settings. This will display potentially sensitive group activities to a remote attacker. (CVE-2012-3397)
- A flaw exists that may allow a remote denial of service. The issue is triggered when searching database activities, which will cause an exhaustion of CPU resources. This will result in loss of availability for the program and the system. (CVE-2012-3398)
Binary data 9403.prmReferences
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3394
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3395
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3396
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3397
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3398
docs.moodle.org/dev/Moodle_2.0.10_release_notes
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
EPSS
Percentile
77.0%