Moodle < 2.5 / 2.5.x < 2.5.9 / 2.6.x < 2.6.6 / 2.7.x < 2.7.3 Multiple Vulnerabilities

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.5.x prior to 2.5.9, 2.6.x prior to 2.6.6, 2.7.x prior to 2.7.3, and all previous releases are exposed to the following vulnerabilities :

• A cross-site scripting (XSS) vulnerability affects the script ‘lib/setup.php’. Specifically, without forcing encoding, it was possible that UTF7 characters could be used to force cross-site script to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages). (MSA-14-0035 / CVE-2014-9059)

• A cross-site scripting (XSS) vulnerability exists in the Feedback module. This occurs because the last search string was not escaped in the search input field. Specifically, this affects the ‘$searchcourse’ parameter in the script ‘mod/feedback/mapcourse.php’. (MSA-14-0036 / CVE-2014-7830)

• The temporary password generation function ‘generate_password()’ uses an unreasonably short list of possible words to create temporary passwords. (MSA-14-0037 / CVE-2014-7845)

• A security bypass flaw exists in ‘mod/lti/launch.php’ which performs access control at the course level rather than at the activity level. This could allow remote authenticated users to bypass the ‘mod/lti:view’ capability requirement by viewing an activity instance. (MSA-14-0039 / CVE-2014-7832)

• An information disclosure flaw affects ‘mod/data/edit.php’ because the script sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher. (MSA-14-0040 / CVE-2014-7833)

• An access control flaw exists in ‘tag/tag_autocomplete.php’ because the script does not consider the ‘moodle/tag:edit’ capability before adding a tag, which allows remote authenticated users to bypass intended access restrictions via an AJAX request. (MSA-14-0041 / CVE-2014-7846)

• A denial of service vulnerability exists in the Geo-Map script, ‘iplookup/index.php’. Specifically, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties. (MSA-14-0042 / CVE-2014-7847)

• Multiple cross-site request forgery (CSRF) vulnerabilities affect the LTI module that allow remote attackers to hijack the authentication of arbitrary users to make a request. Specifically, these flaws exist in ‘mod/lti/request_tool.php’ and ‘mod/lti/instructor_edit_tool_type.php’. (MSA-14-0046 / CVE-2014-7836)

• A security-bypass vulnerability exists within the script ‘mod/wiki/admin.php’ because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this issue to delete pages in other Wiki pages by manipulating URLs. (MSA-14-0047 / CVE-2014-7837)

• A cross-site request forgery (CSRF) flaw affects the forum tracking toggle function because it lacks a session key check. Specifically, this affects the script ‘mod/forum/settracking.php’. (MSA-14-0048 / CVE-2014-7838)

• A flaw exists that could allow a remote attacker to print arbitrary messages to a user session through modifying the URL query string. Specifically, this affects the script ‘mod/lti/return.php’ when loading the LTI module return page. (MSA-14-0049 / CVE-2014-9060)