980317 – (CVE-2016-3733) VUL-0: CVE-2016-3729 CVE-2016-3731 CVE-2016-3732 CVE-2016-3733 CVE-2016-3734: moodle: Multiple vulnerabilities fixed in 3.0.4, 2.9.6, 2.8.12 and 2.7.14

Bug 980317 (CVE-2016-3733) - VUL-0: CVE-2016-3729 CVE-2016-3731 CVE-2016-3732 CVE-2016-3733 CVE-2016-3734: moodle: Multiple vulnerabilities fixed in 3.0.4, 2.9.6, 2.8.12 and 2.7.14

Summary: VUL-0: CVE-2016-3729 CVE-2016-3731 CVE-2016-3732 CVE-2016-3733 CVE-2016-3734:...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3733

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assignee:	Lars Vogdt
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/169153/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-05-17 11:22 UTC by Alexander Bergmann
Modified:	2017-10-18 08:01 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2016-05-17 11:22:35 UTC

NON_Public:infrastructure/moodle

rh#1335933

Multiple vulnerabilities were fixed in moodle 3.0.4, 2.9.6, 2.8.12 and 2.7.14 releases.

==============================================================================
MSA-16-0013: Users are able to change profile fields that were locked by the
administrator

Description: User editing form only disabled the profile fields in UI
and did not actually prevent users from editing them
Issue summary: Tricky users can change locked profile fields
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Vadim Dvorovenko
Issue no.: MDL-53954
CVE identifier: CVE-2016-3729
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

==============================================================================
MSA-16-0015: Information disclosure of hidden forum names and sub-names.

Description: Name of the inaccessible forum or forum discussion could be
disclosed as part of the error message on the subscription
page
Issue summary: Information disclosure of hidden forum names and sub-names.
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Callum
Issue no.: MDL-53696
CVE identifier: CVE-2016-3731
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

==============================================================================
MSA-16-0016: User can view badges of other users without proper permissions

Description: Capability check to view other badges was performed for the
current user instead for the user whose badges are being
viewed
Issue summary: Badges code checks viewotherbadges capability in the wrong
context
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Tim Hunt
Issue no.: MDL-53589
CVE identifier: CVE-2016-3732
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

==============================================================================
MSA-16-0017: Course idnumber not protected from teacher restore

Description: During the course restore teacher could overwrite idnumber
even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

==============================================================================
MSA-16-0018: CSRF in script marking forum posts as read

Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13
and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

==============================================================================


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1335933
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3733
http://seclists.org/oss-sec/2016/q2/352
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

Comment 1 Swamp Workflow Management 2016-05-17 22:00:37 UTC

bugbot adjusting priority

Comment 2 Lars Vogdt 2017-10-18 08:01:08 UTC

Updated moodle3_1 to 3.1.8.
Updated moodle3_2 to 3.2.5.
Updated moodle3_3 to 3.3.2.

=> closing as fixed.