Bug 1288158 - (CVE-2015-5331, CVE-2015-5332, CVE-2015-5335, CVE-2015-5336, CVE-2015-5337, CVE-2015-5338, CVE-2015-5339, CVE-2015-5340, CVE-2015-5341, CVE-2015-5342) CVE-2015-5331 CVE-2015-5332 CVE-2015-5335 CVE-2015-5336 CVE-2015-5337 CVE-2015-5338 CVE-2015-5339 CVE-2015-5340 CVE-2015-5341 CVE-2015-5342 moodle: Multiple security issues fixed in 2.7.11, 2.8.9, 2.9.3
CVE-2015-5331 CVE-2015-5332 CVE-2015-5335 CVE-2015-5336 CVE-2015-5337 CVE-201...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151109,repor...
: Security
Depends On: 1288159 1288160
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 12:17 EST by Adam Mariš
Modified: 2015-12-03 12:21 EST (History)
1 user (show)

See Also:
Fixed In Version: moodle 2.7.11, moodle 2.8.9, moodle 2.9.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-12-03 12:17:33 EST
Multiple security issues were fixed in versions 2.7.11, 2.8.9 and 2.9.3 of moodle.

-----
(MSA-15-0037) CVE-2015-5331 Possible to send a message to a user who blocked messages from non contacts:

Insufficient settings check when messaging another user opens spam possibility. Users who are not in contact list still can send messages though it is blocked in preferences.
Versions affected: 2.9 to 2.9.2
Versions fixed: 2.9.3
Reported by: Pavel Sokolov
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426
-----
(MSA-15-0038) CVE-2015-5332 DDoS possibility in Atto:

If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area. Guests can exploit atto draft to store content.
Versions affected: 2.9 to 2.9.2 and 2.8 to 2.8.8
Versions fixed:	2.9.3 and 2.8.9
Reported by: Frédéric Massart
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000
-----
(MSA-15-0039) CVE-2015-5335 CSRF in site registration form:

Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub. It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Andrew Davis
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091
------
(MSA-15-0040) CVE-2015-5336 Student XSS in survey:

Standard survey module is vulnerable to XSS attack by students who fill the survey. 
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Hugh Davenport
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940
-----
(MSA-15-0041) CVE-2015-5337 XSS in flash video player:

XSS vulnerability caused by Flowplayer flash video player has been addressed.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Andrew Nicols
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085
-----
(MSA-15-0042) CVE-2015-5338 CSRF in lesson login form:

Password-protected lesson modules are subject to CSRF vulnerability.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Ankit Agarwal
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109
-----
(MSA-15-0043) CVE-2015-5339 Web service core_enrol_get_enrolled_users does not respect course group mode:

Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Daniel Palou
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861
-----
(MSA-15-0044) CVE-2015-5340 Capability to view available badges is not respected:

Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges. Capability moodle/badges:viewbadges is not respected.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Marina Glancy
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684
-----
(MSA-15-0045) CVE-2015-5341 SCORM module allows to bypass access restrictions based on date:

Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Juan Leyva
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837
-----
(MSA-15-0046) CVE-2015-5342 Choice module closing date can be bypassed:

Users can mock URL to delete or submit new responses after the choice module was closed.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Juan Leyva
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569
-----

External reference:

https://moodle.org/mod/forum/discuss.php?d=322852
Comment 1 Adam Mariš 2015-12-03 12:19:30 EST
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 1288159]
Affects: epel-6 [bug 1288160]
Comment 2 Adam Mariš 2015-12-03 12:21:42 EST
Acknowledgments:

Red Hat would like to thank Moodle project for reporting this issue.

Note You need to log in before you can comment on or make changes to this bug.