CVE-2014-3546

Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL.

Published Bysecalert@redhat.com

Published DateJul 29, 2014, 11:10

Affected Versions(4)

moodle/moodle(Packagist)

Introduced0

Fixed2.4.11

LimitN/A

moodle/moodle(Packagist)

Introduced2.5.0

Fixed2.5.7

LimitN/A

moodle/moodle(Packagist)

Introduced2.6.0

Fixed2.6.4

LimitN/A

moodle/moodle(Packagist)

Introduced2.7.0

Fixed2.7.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
moodle/moodle(Packagist)	0	2.4.11	N/A
moodle/moodle(Packagist)	2.5.0	2.5.7	N/A
moodle/moodle(Packagist)	2.6.0	2.6.4	N/A
moodle/moodle(Packagist)	2.7.0	2.7.1	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE

References

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

NONE