Bug 1335933 (CVE-2016-3729, CVE-2016-3731, CVE-2016-3732, CVE-2016-3733, CVE-2016-3734)

Summary: CVE-2016-3729 CVE-2016-3731 CVE-2016-3732 CVE-2016-3733 CVE-2016-3734 moodle: Multiple vulnerabilities fixed in 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 3.0.4, moodle 2.9.6, moodle 2.8.12, moodle 2.7.14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:51:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1336729, 1336730    
Bug Blocks:    

Description Adam Mariš 2016-05-13 14:53:05 UTC 
Multiple vulnerabilities were fixed in moodle 3.0.4, 2.9.6, 2.8.12 and 2.7.14 releases.

==============================================================================
MSA-16-0013: Users are able to change profile fields that were locked by the
administrator

Description: User editing form only disabled the profile fields in UI
and did not actually prevent users from editing them
Issue summary: Tricky users can change locked profile fields
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Vadim Dvorovenko
Issue no.: MDL-53954
CVE identifier: CVE-2016-3729
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

==============================================================================
MSA-16-0015: Information disclosure of hidden forum names and sub-names.

Description: Name of the inaccessible forum or forum discussion could be
disclosed as part of the error message on the subscription
page
Issue summary: Information disclosure of hidden forum names and sub-names.
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Callum
Issue no.: MDL-53696
CVE identifier: CVE-2016-3731
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

==============================================================================
MSA-16-0016: User can view badges of other users without proper permissions

Description: Capability check to view other badges was performed for the
current user instead for the user whose badges are being
viewed
Issue summary: Badges code checks viewotherbadges capability in the wrong
context
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Tim Hunt
Issue no.: MDL-53589
CVE identifier: CVE-2016-3732
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

==============================================================================
MSA-16-0017: Course idnumber not protected from teacher restore

Description: During the course restore teacher could overwrite idnumber
even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

==============================================================================
MSA-16-0018: CSRF in script marking forum posts as read

Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

==============================================================================
Comment 1 Adam Mariš 2016-05-13 14:53:11 UTC 
Acknowledgments:

Name: the Moodle project
Comment 3 Andrej Nemec 2016-05-17 10:32:07 UTC 
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 1336729]
Affects: epel-all [bug 1336730]
Comment 4 Andrej Nemec 2016-05-17 10:32:39 UTC 
Public via:

http://seclists.org/oss-sec/2016/q2/352
Comment 5 Product Security DevOps Team 2019-06-08 02:51:52 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.