漏洞类别:CGI
漏洞等级: 
漏洞信息
Moodle (Modular Object-Oriented Dynamic Learning Environment) is a free e-learning software platform, also known as a Learning Management System, or Virtual Learning Environment.
The following vulnerabilities have been confirmed in Moodle:
CVE-2017-2641: PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
CVE-2017-2643: Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed)
CVE-2017-2644: Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence
CVE-2017-2645: Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions
Affected Versions:
Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and earlier unsupported versions.
漏洞危害
Depending on the vulnerability being exploited, a remote attacker could conduct cross-site scripting or SQL injection attacks against a targeted server.
解决方案
Customers are advised to upgrade to the latest version of the software available. The latest version can be downloaded fromhere.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论