Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621938 (CVE-2017-7489, CVE-2017-7490, CVE-2017-7491) - <www-apps/moodle-{3.1.6,3.2.3}: multiple vulnerabilities (CVE-2017-{7489,7490,7491})
Summary: <www-apps/moodle-{3.1.6,3.2.3}: multiple vulnerabilities (CVE-2017-{7489,7490...
Status: RESOLVED FIXED
Alias: CVE-2017-7489, CVE-2017-7490, CVE-2017-7491
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-16 19:17 UTC by Volkan
Modified: 2017-07-11 01:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-06-16 19:17:05 UTC
Multiple security issues were fixed in the latest moodle release.

MSA-17-0010 External blog editing takeover
MSA-17-0011 Searching of blogs possible without capability to do it
MSA-17-0012 CSRF in number of courses displayed in the course overview block
MSA-17-0013 Missing permission check when adding forum post attachments in Web Services

References:

https://moodle.org/mod/forum/discuss.php?d=351987
https://docs.moodle.org/dev/Moodle_3.2.3_release_notes

MSA-17-0010 = CVE-2017-7489
MSA-17-0011 = CVE-2017-7490
MSA-17-0012 = CVE-2017-7491
MSA-17-0013 = not known.
Comment 1 Anthony Basile gentoo-dev 2017-06-18 00:10:18 UTC
The vulnerable versions are off the tree.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2017-07-11 01:35:01 UTC
CVE-2017-7491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7491):
  In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers to
  change the "number of courses displayed in the course overview block"
  configuration setting.

CVE-2017-7490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7490):
  In Moodle 2.x and 3.x, searching of arbitrary blogs is possible because a
  capability check is missing.

CVE-2017-7489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7489):
  In Moodle 2.x and 3.x, remote authenticated users can take ownership of
  arbitrary blogs by editing an external blog link.