CVE-2011-4590

The web services implementation in Moodle 2.0.x before 2.0.6 and 2.1.x before 2.1.3 does not properly consider the maintenance-mode state and account attributes during login attempts, which allows remote authenticated users to bypass intended access restrictions by connecting to a webservice server.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Moodle	Moodle	2.0.0	2.0.0
Moodle	Moodle	2.0.1	2.0.1
Moodle	Moodle	2.0.2	2.0.2
Moodle	Moodle	2.0.3	2.0.3
Moodle	Moodle	2.0.4	2.0.4
Moodle	Moodle	2.0.5	2.0.5
Moodle	Ubuntu	hardy	*
Moodle	Ubuntu	lucid	*
Moodle	Ubuntu	maverick	*
Moodle	Ubuntu	natty	*
Moodle	Ubuntu	oneiric	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-28629
http://moodle.org/mod/forum/discuss.php?d=191759
https://bugzilla.redhat.com/show_bug.cgi?id=761248

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-4590
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References