Summary: | <www-apps/moodle-{3.1.6,3.2.3}: multiple vulnerabilities (CVE-2017-{7489,7490,7491}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Volkan <vBugZilla> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1451668 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Volkan
2017-06-16 19:17:05 UTC
The vulnerable versions are off the tree. CVE-2017-7491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7491): In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to change the "number of courses displayed in the course overview block" configuration setting. CVE-2017-7490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7490): In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a capability check is missing. CVE-2017-7489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7489): In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |