660916 – (CVE-2018-10889, CVE-2018-10890, CVE-2018-10891, CVE-2018-1133, CVE-2018-1134, CVE-2018-1135, CVE-2018-1136, CVE-2018-1137) www-apps/moodle: Multiple vulnerabilities (CVE-2018-{1137,1136,1135,1134,1133,10891,10890,10889})

Bug 660916 (CVE-2018-10889, CVE-2018-10890, CVE-2018-10891, CVE-2018-1133, CVE-2018-1134, CVE-2018-1135, CVE-2018-1136, CVE-2018-1137) - www-apps/moodle: Multiple vulnerabilities (CVE-2018-{1137,1136,1135,1134,1133,10891,10890,10889})

Summary: www-apps/moodle: Multiple vulnerabilities (CVE-2018-{1137,1136,1135,1134,1133...

Status:	RESOLVED OBSOLETE

Alias:	CVE-2018-10889, CVE-2018-10890, CVE-2018-10891, CVE-2018-1133, CVE-2018-1134, CVE-2018-1135, CVE-2018-1136, CVE-2018-1137

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [ebuild cve]
Keywords:

Duplicates (1):	680522 (view as bug list)
Depends on:
Blocks:

Reported:	2018-07-11 15:52 UTC by GLSAMaker/CVETool Bot
Modified:	2020-05-24 21:28 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-11 15:52:16 UTC

CVE-2018-1137 (https://nvd.nist.gov/vuln/detail/CVE-2018-1137):
  An issue was discovered in Moodle 3.x. By substituting URLs in portfolios,
  users can instantiate any class. This can also be exploited by users who are
  logged in as guests to create a DDoS attack.

CVE-2018-1136 (https://nvd.nist.gov/vuln/detail/CVE-2018-1136):
  An issue was discovered in Moodle 3.x. An authenticated user is allowed to
  add HTML blocks containing scripts to their Dashboard; this is normally not
  a security issue because a personal dashboard is visible to this user only.
  Through this security vulnerability, users can move such a block to other
  pages where they can be viewed by other users.

CVE-2018-1135 (https://nvd.nist.gov/vuln/detail/CVE-2018-1135):
  An issue was discovered in Moodle 3.x. Students who posted on forums and
  exported the posts to portfolios can download any stored Moodle file by
  changing the download URL.

CVE-2018-1134 (https://nvd.nist.gov/vuln/detail/CVE-2018-1134):
  An issue was discovered in Moodle 3.x. Students who submitted assignments
  and exported them to portfolios can download any stored Moodle file by
  changing the download URL.

CVE-2018-1133 (https://nvd.nist.gov/vuln/detail/CVE-2018-1133):
  An issue was discovered in Moodle 3.x. A Teacher creating a Calculated
  question can intentionally cause remote code execution on the server, aka
  eval injection.

CVE-2018-10891 (https://nvd.nist.gov/vuln/detail/CVE-2018-10891):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When
  a quiz question bank is imported, it was possible for the question preview
  that is displayed to execute JavaScript that is written into the question
  bank.

CVE-2018-10890 (https://nvd.nist.gov/vuln/detail/CVE-2018-10890):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It
  was possible for the core_course_get_categories web service to return hidden
  categories, which should be omitted when fetching course categories.

CVE-2018-10889 (https://nvd.nist.gov/vuln/detail/CVE-2018-10889):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option
  existed to omit logs from data privacy exports, which may contain details of
  other users who interacted with the requester.

Comment 1 Sam James archtester

2020-05-24 21:27:26 UTC

*** Bug 680522 has been marked as a duplicate of this bug. ***