Moodle 3.10.x < 3.10.5 Multiple Vulnerabilities

critical Web App Scanning Plugin ID 113620

Synopsis

Moodle 3.10.x < 3.10.5 Multiple Vulnerabilities

Description

The version of Moodle installed on the remote host is 3.9.x prior to 3.9.8, 3.10.x prior to 3.10.5 or 3.11.x prior to 3.11.1. It is, therefore, affected by multiple vulnerabilities:

- An SQL injection in the library fetching a user's enrolled courses. (CVE-2021-36392)

- An SQL injection in the library fetching a user's recent courses. (CVE-2021-36393)

- A Remote Code Execution (RCE) in the Shibboleth authentication plugin, when enabled. (CVE-2021-36394)

- A recursion Denial of Service (DoS) in the file repository's URL parsing function. (CVE-2021-36395)

- A blind Server-Side Request Forgery (SSRF) due to an insufficient redirect handling, leading to the bypass of cURL blocked hosts and allowed ports restrictions. (CVE-2021-36396)

- An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to delete other user messages. (CVE-2021-36397)

- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the web service token list. (CVE-2021-36398)

- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers displayed in the quiz override screens. (CVE-2021-36399)

- An Insecure Direct Object Reference (IDOR) vulnerability allowing an user to remove other users calendar URL subscriptions. (CVE-2021-36400)

- A stored Cross-Site Scripting (XSS) vulnerability in the ID numbers exported in HTML data formats being read locally. (CVE-2021-36401)

- An improper input validation in user names of account confirmation emails leading leading to phishing risks. (CVE-2021-36402)

- An improper input validation when processing email notifications containing HTML, leading to phishing risks. (CVE-2021-36403)

Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

Solution

Upgrade to version 3.10.5 or later.

See Also

https://moodle.org/mod/forum/discuss.php?d=424797#p1710816

https://moodle.org/mod/forum/discuss.php?d=424798#p1710817

https://moodle.org/mod/forum/discuss.php?d=424799#p1710818

https://moodle.org/mod/forum/discuss.php?d=424801#p1710820

https://moodle.org/mod/forum/discuss.php?d=424802#p1710821

https://moodle.org/mod/forum/discuss.php?d=424803#p1710822

https://moodle.org/mod/forum/discuss.php?d=424804#p1710823

https://moodle.org/mod/forum/discuss.php?d=424805#p1710824

https://moodle.org/mod/forum/discuss.php?d=424806#p1710825

https://moodle.org/mod/forum/discuss.php?d=424807#p1710826

https://moodle.org/mod/forum/discuss.php?d=424808#p1710827

https://moodle.org/mod/forum/discuss.php?d=424809#p1710828

Plugin Details

Severity: Critical

ID: 113620

Type: remote

Published: 2/20/2023

Updated: 3/14/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-36392

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2021-36392

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/19/2021

Vulnerability Publication Date: 7/19/2021

Reference Information

CVE: CVE-2021-36392, CVE-2021-36393, CVE-2021-36394, CVE-2021-36395, CVE-2021-36396, CVE-2021-36397, CVE-2021-36398, CVE-2021-36399, CVE-2021-36400, CVE-2021-36401, CVE-2021-36402, CVE-2021-36403

CWE: 20, 276, 384, 400, 610, 639, 674, 79, 89, 912, 918, 94

OWASP: 2010-A1, 2010-A2, 2010-A3, 2010-A4, 2010-A6, 2010-A8, 2013-A1, 2013-A2, 2013-A3, 2013-A4, 2013-A5, 2013-A7, 2013-A9, 2017-A1, 2017-A2, 2017-A5, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A10, 2021-A3, 2021-A6, 2021-A7

WASC: Application Misconfiguration, Cross-Site Scripting, Denial of Service, Improper Input Handling, Insufficient Authorization, OS Commanding, SQL Injection, Session Fixation

CAPEC: 10, 101, 104, 108, 109, 110, 120, 122, 13, 135, 136, 14, 147, 153, 182, 196, 197, 209, 21, 219, 22, 23, 230, 231, 233, 24, 242, 250, 261, 267, 28, 3, 31, 35, 39, 42, 43, 45, 46, 47, 470, 473, 492, 52, 53, 58, 588, 59, 591, 592, 60, 61, 63, 64, 66, 67, 7, 71, 72, 73, 77, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-000460, APSC-DV-000500, APSC-DV-002250, APSC-DV-002400, APSC-DV-002490, APSC-DV-002510, APSC-DV-002540, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.2.1, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-IA-2(8), sp800_53-SC-5, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-3.2.1, 4.0.2-5.1.3, 4.0.2-5.2.5, 4.0.2-5.2.6, 4.0.2-5.3.3, 4.0.2-5.3.4

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5, 3.2-6.5.1, 3.2-6.5.10, 3.2-6.5.7, 3.2-6.5.8, 3.2-6.5.9