CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
59.2%
In Moodle before 2.8.9, if guest access is open on the site, unauthenticated users can store Atto draft data through the editor autosave area, which could be exploited in a denial of service attack (CVE-2015-5332). In Moodle before 2.8.9, due to a CSRF issue in the site registration form, it is possible to trick a site admin into sending aggregate stats to an arbitrary domain. The attacker can send the admin a link to a site registration form that will display the correct URL but, if submitted, will register with another hub (CVE-2015-5335). In Moodle before 2.8.9, the standard survey module is vulnerable to XSS attack by students who fill the survey (CVE-2015-5336). In Moodle before 2.8.9, there was a reflected XSS vulnerability in the Flowplayer flash video player (CVE-2015-5337). In Moodle before 2.8.9, password-protected lesson modules are subject to a CSRF vulnerability in the lesson login form (CVE-2015-5338). In Moodle before 2.8.9, through web service core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site (CVE-2015-5339). In Moodle before 2.8.9, logged in users who do not have capability ‘View available badges without earning them’ can still access the full list of badges (CVE-2015-5340). In Moodle before 2.8.9, the SCORM module allows to bypass access restrictions based on date and lets users view the SCORM contents (CVE-2015-5341). In Moodle before 2.8.9, the choice module closing date can be bypassed, allowing users to delete or submit new responses after the choice module was closed (CVE-2015-5342).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 5 | noarch | moodle | < 2.8.9-1 | moodle-2.8.9-1.mga5 |
bugs.mageia.org/show_bug.cgi?id=17280
docs.moodle.org/dev/Moodle_2.8.9_release_notes
moodle.org/mod/forum/discuss.php?d=322852
moodle.org/mod/forum/discuss.php?d=323229
moodle.org/mod/forum/discuss.php?d=323230
moodle.org/mod/forum/discuss.php?d=323231
moodle.org/mod/forum/discuss.php?d=323232
moodle.org/mod/forum/discuss.php?d=323233
moodle.org/mod/forum/discuss.php?d=323234
moodle.org/mod/forum/discuss.php?d=323235
moodle.org/mod/forum/discuss.php?d=323236
moodle.org/mod/forum/discuss.php?d=323237
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
59.2%