Lucene search

Tenable9520.PRM

HistoryAug 25, 2016 - 12:00 a.m.

Moodle 2.7.x < 2.7.15 Remote Header Email Address Injection

2016-08-2500:00:00

Tenable

www.tenable.com

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

32.7%

JSON

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.7.x prior to 2.7.15 are affected by a flaw that may allow an authenticated remote attacker to inject email addresses into the intended recipients of an email by changing their username to include another user’s email address. This may result in other users potentially being saturated with emails. (CVE-2016-5013)

Binary data 9520.prm

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5013

docs.moodle.org/dev/Moodle_2.7.15_release_notes

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

32.7%

JSON

Related for 9520.PRM