Lucene search

K
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WEB_APPLICATION_SCANNING_113617
HistoryFeb 20, 2023 - 12:00 a.m.

Moodle 3.10.x < 3.10.7 Multiple Vulnerabilities

2023-02-2000:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
8

0.001 Low

EPSS

Percentile

31.3%

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.10, 3.10.x prior to 3.10.7 or 3.11.x prior to 3.11.3. It is, therefore, affected by multiple vulnerabilities:

  • A session hijack vulnerability was identified in the Shibboleth authentication plugin, when enabled. (CVE-2021-40691)

  • An Insecure Direct Object Reference (IDOR) allowing teachers to download other courses users. (CVE-2021-40692)

  • An authentication bypass vulnerability was identified in the external database authentication functionality due to a type juggling vulnerability. (CVE-2021-40693)

  • An arbitrary file read due to an insufficient escaping of the LaTeX preamble allowing site administrators to read files available to the HTTP Server system account. (CVE-2021-40694)

  • An information disclosure allowing students to see their quiz grade through the quiz web service before its release. (CVE-2021-40695)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application’s self-reported version number.

No source data
VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

0.001 Low

EPSS

Percentile

31.3%