PT-2016-1304 · Moodle · Moodle

Ankit Agarwal

Publicado

2015-12-05

Atualizado

2022-05-13

CVE-2015-5338

CVSS v3.1

8.8

Alta

Vetor

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Moodle versions prior to 2.6.11 Moodle versions 2.7.x before 2.7.11 Moodle versions 2.8.x before 2.8.9 Moodle versions 2.9.x before 2.9.3

Description The issue is related to multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module of Moodle. These vulnerabilities can be exploited by a remote attacker to gain access to the authentication data of arbitrary users. The exploitation involves requests to specific API endpoints, such as "mod/lesson/mediafile.php" or "mod/lesson/view.php".

Recommendations For versions prior to 2.6.11, update to version 2.6.11 or later. For versions 2.7.x before 2.7.11, update to version 2.7.11 or later. For versions 2.8.x before 2.8.9, update to version 2.8.9 or later. For versions 2.9.x before 2.9.3, update to version 2.9.3 or later. As a temporary workaround, consider restricting access to the "mod/lesson/mediafile.php" and "mod/lesson/view.php" API endpoints until a patch is applied.

Correção

CSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-352

Identificadores relacionados

BDU:2016-00601

CVE-2015-5338

GHSA-V33X-Q8GH-4X42

MGASA-2015-0464

Produtos afetados

Moodle

PT-2016-1304 · Moodle · Moodle

CVE-2015-5338

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 28