Lucene search

GoogleOSV:GHSA-R9PC-G29W-F86J

HistoryMay 13, 2022 - 1:12 a.m.

Moodle sensitive information disclosure

2022-05-1301:12:38

Google

osv.dev

moodle

version 2.6.11

2.7.x

2.8.x

2.9.x

3.0.x

sensitive information disclosure

remote attackers

AI Score

6.3

Confidence

Low

EPSS

0.003

Percentile

70.3%

JSON

Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651

www.openwall.com/lists/oss-security/2016/03/21/1

github.com/moodle/moodle

github.com/moodle/moodle/commit/1688564a6eee6000013f6e185f704049283ae375

github.com/moodle/moodle/commit/190757854d9ce3b3ce3100dc76de54277f3bdd14

github.com/moodle/moodle/commit/314d105c169c67e3ce750f76b21d99983d4a9ff5

github.com/moodle/moodle/commit/4d6f159f681882496e05ddacf2561929d2d23f0e

github.com/moodle/moodle/commit/9f91c23536a31ba2dc91b0ba2ae726b1757a20cb

moodle.org/mod/forum/discuss.php?d=330181

nvd.nist.gov/vuln/detail/CVE-2016-2190

web.archive.org/web/20210801130148/www.securitytracker.com/id/1035333