Moodle 3.8.x < 3.8.9 Multiple Vulnerabilities

high Web App Scanning Plugin ID 113623

Synopsis

Moodle 3.8.x < 3.8.9 Multiple Vulnerabilities

Description

The version of Moodle installed on the remote host is 3.5.x prior to 3.5.18, 3.8.x prior to 3.8.9, 3.9.x prior to 3.9.7 or 3.10.x prior to 3.10.4. It is, therefore, affected by multiple vulnerabilities:

- An authorization issue allowing teachers to export a CSV file containing forums from all courses. (CVE-2021-32472)

- An information disclosure allowing students to see their quiz grade through the quiz web service before its release. (CVE-2021-32473)

- An SQL injection on MNet enabled sites via an XML RPC call from the connected peer host for site administrators or users having access to the keypair. (CVE-2021-32474)

- A stored Cross-Site Scripting vulnerability through the ID number displayed in the quiz grading report. (CVE-2021-32475)

- A Denial of Service (DoS) due to user file upload limits not being enforced in the draft files area. (CVE-2021-32476)

- An information disclosure exposing the last time a user accessed the mobile page on its profile page. (CVE-2021-32477)

- A Cross-Site Scripting (XSS) and open redirect lnerability through the redirect URI of the the LTI authorization endpoint. (CVE-2021-32478)

- A vulnerable H5P PHP version 1.24 embedded library.

Note that the scanner has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

Solution

Upgrade to version 3.8.9 or later.

See Also

https://moodle.org/mod/forum/discuss.php?d=422305#p1701629

https://moodle.org/mod/forum/discuss.php?d=422307#p1701631

https://moodle.org/mod/forum/discuss.php?d=422308#p1701632

https://moodle.org/mod/forum/discuss.php?d=422309#p1701633

https://moodle.org/mod/forum/discuss.php?d=422310#p1701635

https://moodle.org/mod/forum/discuss.php?d=422313#p1701638

https://moodle.org/mod/forum/discuss.php?d=422314#p1701639

https://moodle.org/mod/forum/discuss.php?d=422315#p1701640

Plugin Details

Severity: High

ID: 113623

Type: remote

Published: 2/20/2023

Updated: 3/14/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32474

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Score Source: CVE-2021-32476

Vulnerability Information

CPE: cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*

Exploit Ease: No known exploits are available

Patch Publication Date: 5/17/2021

Vulnerability Publication Date: 5/17/2021

Reference Information

CVE: CVE-2021-32472, CVE-2021-32473, CVE-2021-32474, CVE-2021-32475, CVE-2021-32476, CVE-2021-32477, CVE-2021-32478

CWE: 200, 601, 770, 78, 79, 862, 89

OWASP: 2010-A1, 2010-A10, 2010-A2, 2010-A6, 2010-A8, 2013-A1, 2013-A10, 2013-A3, 2013-A5, 2013-A7, 2013-A9, 2017-A1, 2017-A5, 2017-A6, 2017-A7, 2017-A9, 2021-A1, 2021-A3, 2021-A6

WASC: Cross-Site Scripting, Denial of Service, Information Leakage, Insufficient Authorization, OS Commanding, SQL Injection, URL Redirector Abuse

CAPEC: 108, 109, 110, 116, 125, 13, 130, 147, 15, 169, 197, 209, 22, 224, 229, 230, 231, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 43, 469, 470, 472, 482, 486, 487, 488, 489, 490, 491, 493, 494, 495, 496, 497, 508, 528, 573, 574, 575, 576, 577, 588, 59, 591, 592, 6, 60, 616, 63, 643, 646, 651, 66, 7, 79, 85, 88

DISA STIG: APSC-DV-000460, APSC-DV-002400, APSC-DV-002490, APSC-DV-002510, APSC-DV-002540, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.12.6.1, 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SC-5, sp800_53-SI-10, sp800_53-SI-15

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.1.5, 4.0.2-5.3.3, 4.0.2-5.3.4, 4.0.2-5.3.8, 4.0.2-8.3.4

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5.1, 3.2-6.5.7, 3.2-6.5.8