CVE-2012-6087

Name of the Vulnerable Software and Affected Versions Moodle versions 2.2.11 and earlier Moodle versions 2.3.x before 2.3.9 Moodle versions 2.4.x before 2.4.6 Moodle versions 2.5.x before 2.5.2

Description The issue is related to the Amazon S3 library in Moodle, where it fails to verify the server hostname against the domain name in the X.509 certificate's Common Name (CN) or subjectAltName field. This allows for man-in-the-middle attacks, where an attacker can spoof SSL servers using any valid certificate. The problem is caused by an incorrect value for CURLOPT SSL VERIFYHOST.

Recommendations For Moodle versions 2.2.11 and earlier, update to a version later than 2.2.11. For Moodle versions 2.3.x before 2.3.9, update to version 2.3.9 or later. For Moodle versions 2.4.x before 2.4.6, update to version 2.4.6 or later. For Moodle versions 2.5.x before 2.5.2, update to version 2.5.2 or later.