Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Moodle | Moodle | 2.8.0 (including) | 2.8.0 (including) |
| Moodle | Moodle | 2.8.1 (including) | 2.8.1 (including) |
| Moodle | Moodle | 2.8.2 (including) | 2.8.2 (including) |
| Moodle | Moodle | 2.8.3 (including) | 2.8.3 (including) |
| Moodle | Moodle | 2.8.4 (including) | 2.8.4 (including) |
| Moodle | Moodle | 2.8.5 (including) | 2.8.5 (including) |
| Moodle | Ubuntu | upstream | * |
References
- http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-50039
- http://openwall.com/lists/oss-security/2015/05/18/1
- http://www.securityfocus.com/bid/74721
- http://www.securitytracker.com/id/1032358
- https://moodle.org/mod/forum/discuss.php?d=313684
- http://git.moodle.org/gw?p=moodle.git\u0026a=search\u0026h=HEAD\u0026st=commit\u0026s=MDL-50039
- http://openwall.com/lists/oss-security/2015/05/18/1
- http://www.securityfocus.com/bid/74721
- http://www.securitytracker.com/id/1032358
- https://moodle.org/mod/forum/discuss.php?d=313684