Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 660916 (CVE-2018-10889, CVE-2018-10890, CVE-2018-10891, CVE-2018-1133, CVE-2018-1134, CVE-2018-1135, CVE-2018-1136, CVE-2018-1137)

Summary: www-apps/moodle: Multiple vulnerabilities (CVE-2018-{1137,1136,1135,1134,1133,10891,10890,10889})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: trivial CC: blueness, gen2xmach1ne, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [ebuild cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-11 15:52:16 UTC 
CVE-2018-1137 (https://nvd.nist.gov/vuln/detail/CVE-2018-1137):
  An issue was discovered in Moodle 3.x. By substituting URLs in portfolios,
  users can instantiate any class. This can also be exploited by users who are
  logged in as guests to create a DDoS attack.

CVE-2018-1136 (https://nvd.nist.gov/vuln/detail/CVE-2018-1136):
  An issue was discovered in Moodle 3.x. An authenticated user is allowed to
  add HTML blocks containing scripts to their Dashboard; this is normally not
  a security issue because a personal dashboard is visible to this user only.
  Through this security vulnerability, users can move such a block to other
  pages where they can be viewed by other users.

CVE-2018-1135 (https://nvd.nist.gov/vuln/detail/CVE-2018-1135):
  An issue was discovered in Moodle 3.x. Students who posted on forums and
  exported the posts to portfolios can download any stored Moodle file by
  changing the download URL.

CVE-2018-1134 (https://nvd.nist.gov/vuln/detail/CVE-2018-1134):
  An issue was discovered in Moodle 3.x. Students who submitted assignments
  and exported them to portfolios can download any stored Moodle file by
  changing the download URL.

CVE-2018-1133 (https://nvd.nist.gov/vuln/detail/CVE-2018-1133):
  An issue was discovered in Moodle 3.x. A Teacher creating a Calculated
  question can intentionally cause remote code execution on the server, aka
  eval injection.

CVE-2018-10891 (https://nvd.nist.gov/vuln/detail/CVE-2018-10891):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. When
  a quiz question bank is imported, it was possible for the question preview
  that is displayed to execute JavaScript that is written into the question
  bank.

CVE-2018-10890 (https://nvd.nist.gov/vuln/detail/CVE-2018-10890):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7, 3.1.13. It
  was possible for the core_course_get_categories web service to return hidden
  categories, which should be omitted when fetching course categories.

CVE-2018-10889 (https://nvd.nist.gov/vuln/detail/CVE-2018-10889):
  A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option
  existed to omit logs from data privacy exports, which may contain details of
  other users who interacted with the requester.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-24 21:27:26 UTC 
*** Bug 680522 has been marked as a duplicate of this bug. ***