Synopsis
The remote web server is hosting a web application that is vulnerable to multiple attack vectors.
Description
The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.4.x prior to 2.4.11, 2.5.x prior to 2.5.7, 2.6.x prior to 2.6.4, 2.7.x prior to 2.7.1, and all previous releases are exposed to the following vulnerabilities :
- The Repositories component allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data defined by add-ons that could include malicious code. (MSA-14-0021 / CVE-2014-3541)
- An XML external entity (XXE) remote file disclosure flaw exists in the LTI module. Specifically, it is possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files. (MSA-14-0022 / CVE-2014-3542)
- An XML external entity (XXE) remote file disclosure flaw affects IMSCC and IMSCP modules in Moodle. Specifically, it is possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files. (MSA-14-0023 / CVE-2014-3543)
- A remote code execution vulnerability exists in the Quiz system. It is possible to inject code into Calculated questions that would be executed on the server. (MSA-14-0025 / CVE-2014-3545)
- An information disclosure flaw exists in the script '/user/edit.php' that is triggered by manipulating the URL. An authenticated remote attacker could exploit this to get limited user information, such as user name and courses. (MSA-14-0026 / CVE-2014-3546)
- An error in forum permissions was allowing users who were members of more than one group to post to all groups without the capability to access all groups. (MSA-14-0027 / CVE-2014-3553)
- A reflected cross-site scripting (XSS) vulnerability exists due to the content of exception dialogues presented from AJAX calls was not being escaped before being presented to users. (MSA-14-0029 / CVE-2014-3548)
- Multiple cross-site scripting (XSS) vulnerabilities affect the advanced-grading implementation that could allow remote authenticated users to inject arbitrary web script or HTML via a specially crafted 'qualification' or 'rating' field in a rubric. (MSA-14-0032 / CVE-2014-3551)
- A cross-site scripting (XSS) vulnerability exists in 'user/profile.php' that allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. Exploits for this XSS vulnerability are publicly available. (MSA-14-0024 / CVE-2014-3544)
Solution
Upgrade to Moodle version 2.7.1 or later. If your installation cannot be upgraded to 2.7.x, versions 2.6.4, 2.5.7 and 2.4.11 are also patched for these vulnerabilities.
Plugin Details
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:moodle:moodle
Patch Publication Date: 7/14/2014
Vulnerability Publication Date: 7/21/2014
Reference Information
CVE: CVE-2014-3541, CVE-2014-3542, CVE-2014-3543, CVE-2014-3544, CVE-2014-3545, CVE-2014-3546, CVE-2014-3548, CVE-2014-3551, CVE-2014-3553
BID: 68722, 68754, 68755, 68756, 68763, 68766, 68773, 68774, 68778