CVE-2014-0009

EUVD-2014-0113
course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce the moodle/site:accessallgroups capability requirement for outside-group users in a SEPARATEGROUPS configuration, which allows remote authenticated users to perform "login as" actions via a direct request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
Affected Products (NVD)
VendorProductVersion
moodlemoodle
2.6.0
moodlemoodle
𝑥
≤ 2.2.11
moodlemoodle
2.0.0
moodlemoodle
2.0.1
moodlemoodle
2.0.2
moodlemoodle
2.0.3
moodlemoodle
2.0.4
moodlemoodle
2.0.5
moodlemoodle
2.0.6
moodlemoodle
2.0.7
moodlemoodle
2.0.8
moodlemoodle
2.0.9
moodlemoodle
2.1.0
moodlemoodle
2.1.1
moodlemoodle
2.1.2
moodlemoodle
2.1.3
moodlemoodle
2.1.4
moodlemoodle
2.1.5
moodlemoodle
2.1.6
moodlemoodle
2.1.7
moodlemoodle
2.1.8
moodlemoodle
2.1.9
moodlemoodle
2.1.10
moodlemoodle
2.2.0
moodlemoodle
2.2.1
moodlemoodle
2.2.2
moodlemoodle
2.2.3
moodlemoodle
2.2.4
moodlemoodle
2.2.5
moodlemoodle
2.2.6
moodlemoodle
2.2.7
moodlemoodle
2.2.8
moodlemoodle
2.2.9
moodlemoodle
2.2.10
moodlemoodle
2.3.0
moodlemoodle
2.3.1
moodlemoodle
2.3.2
moodlemoodle
2.3.3
moodlemoodle
2.3.4
moodlemoodle
2.3.5
moodlemoodle
2.3.6
moodlemoodle
2.3.7
moodlemoodle
2.3.8
moodlemoodle
2.3.9
moodlemoodle
2.3.10
moodlemoodle
2.5.0
moodlemoodle
2.5.1
moodlemoodle
2.5.2
moodlemoodle
2.5.3
moodlemoodle
2.4.0
moodlemoodle
2.4.1
moodlemoodle
2.4.2
moodlemoodle
2.4.3
moodlemoodle
2.4.4
moodlemoodle
2.4.5
moodlemoodle
2.4.6
moodlemoodle
2.4.7
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
moodle
lucid
ignored
precise
ignored
quantal
ignored
raring
ignored
saucy
ignored
trusty
dne
utopic
not-affected
vivid
not-affected
wily
not-affected
xenial
not-affected
yakkety
not-affected
zesty
not-affected
Common Weakness Enumeration
References
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127533.html
http://openwall.com/lists/oss-security/2014/01/20/1
http://www.securitytracker.com/id/1029648
https://moodle.org/mod/forum/discuss.php?d=252415
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127510.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-January/127533.html
http://openwall.com/lists/oss-security/2014/01/20/1
http://www.securitytracker.com/id/1029648
https://moodle.org/mod/forum/discuss.php?d=252415