CVE-2015-3177 - Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering su

CVE-2015-3177

Summary

Moodle 2.8.x before 2.8.6 does not consider the tool/monitor:subscribe capability before entering subscriptions to site-wide event-monitor rules, which allows remote authenticated users to obtain sensitive information via a subscription request.

References

Vulnerable Configurations

cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.4:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*
cpe:2.3:a:moodle:moodle:2.8.5:*:*:*:*:*:*:*

CVSS

Base:	3.5 (as of 01-12-2020 - 14:52)
Impact:
Exploitability:

CWE

CWE-17

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:S/C:P/I:N/A:N

refmap via4

bid	74721
confirm	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039 https://moodle.org/mod/forum/discuss.php?d=313684
mlist	[oss-security] 20150518 Moodle security advisories [vs]
sectrack	1032358

Last major update

01-12-2020 - 14:52

Published

01-06-2015 - 19:59

Last modified

01-12-2020 - 14:52