CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
80.6%
The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.4.x prior to 2.4.10, 2.5.x prior to 2.5.6, 2.6.x prior to 2.6.3, and all previous releases are exposed to the following vulnerabilities :
A cross-site request forgery (CSRF) vulnerability affects the quick-grading function. Session checking was not being performed correctly in Assignment’s quick-grading, allowing forged requests to be made unknowingly by authenticated users. (MSA-14-0014 / CVE-2014-0213)
A security bypass weakness affects session Token expiration in MoodleMobile. Tokens created automatically in ‘login/token.php’ are valid forever. (MSA-14-0015 / CVE-2014-0214)
An information disclosure flaw which exposes student details through the use of a screen reader or viewing the HTML source code. (MSA-14-0016 / CVE-2014-0215)
An authorization bypass vulnerability exists because it fails to restrict access to the files linked in HTML blocks on ‘My Home’ page. Successful exploits will allow attackers to gain unauthorized access to these files. (MSA-14-0017 / CVE-2014-0216)
An information disclosure flaw that may allow a remote attacker to gain access to the details of hidden courses on enrollment pages via URL manipulation. (MSA-14-0018 / CVE-2014-0217)
A reflected cross-site scripting (XSS) vulnerability affects the URL downloader repository due to a lack of filtering. (MSA-14-0019 / CVE-2014-0218)
Binary data 8716.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0213
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0214
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0215
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0216
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0218
moodle.org/security
openwall.com/lists/oss-security/2014/05/19/1
www.nessus.org/u?5a6759c3
www.nessus.org/u?6e8ae8f4
www.nessus.org/u?9542d845