Vigil@nce - Moodle: multiple vulnerabilities
May 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Moodle.
Impacted products: Fedora.
Severity: 2/4.
Creation date: 31/03/2016.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Moodle.
An attacker can bypass security features in Participants List, in
order to obtain sensitive information. [severity:2/4;
CVE-2016-2151]
An attacker can trigger a Cross Site Scripting in Profile Fields,
in order to run JavaScript code in the context of the web site.
[severity:2/4; CVE-2016-2152]
An attacker can trigger a Cross Site Scripting in Mod_data
Advanced Search, in order to run JavaScript code in the context of
the web site. [severity:2/4; CVE-2016-2153]
An attacker can bypass security features in Event Monitor, in
order to obtain sensitive information. [severity:2/4;
CVE-2016-2154]
An attacker can bypass security features in Single View, in order
to escalate his privileges. [severity:2/4; CVE-2016-2155]
An attacker can bypass security features in get_calendar_events,
in order to obtain sensitive information. [severity:2/4;
CVE-2016-2156]
An attacker can trigger a Cross Site Request Forgery in Assignment
Plugin, in order to force the victim to perform operations.
[severity:2/4; CVE-2016-2157]
An attacker can bypass security features in Category, in order to
obtain sensitive information. [severity:2/4; CVE-2016-2158]
An attacker can bypass security features in _blank Target, in
order to escalate his privileges. [severity:2/4; CVE-2016-2190]
An attacker can bypass security features in
mod_assign_save_submission, in order to escalate his privileges.
[severity:2/4; CVE-2016-2159]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Moodle-multiple-vulnerabilities-19270