Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2010-2231 First vendor Publication 2010-06-28
Vendor Cve Last vendor Modification 2020-12-01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score 6.8 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2231

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11823
 
Oval ID: oval:org.mitre.oval:def:11823
Title: DSA-2115-2 moodle -- several
Description: DSA-2115-1 introduced a regression because it lacked a dependency on the wwwconfig-common package, leading to installations problems. This update addresses this issue. For reference, the text of the original advisory is provided below. Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1613 Moodle does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks. CVE-2010-1614 Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to the Login-As feature or when the global search feature is enabled, unspecified global search forms in the Global Search Engine. CVE-2010-1615 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to the add_to_log function in mod/wiki/view.php in the wiki module, or "data validation in some forms elements" related to lib/form/selectgroups.php. CVE-2010-1616 Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. CVE-2010-1617 user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. CVE-2010-1618 A Cross-site scripting vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message. CVE-2010-1619 A Cross-site scripting vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. CVE-2010-2228 A Cross-site scripting vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username. CVE-2010-2229 Multiple cross-site scripting vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. CVE-2010-2230 The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting attacks via HTML input. CVE-2010-2231 A Cross-site request forgery vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter. This security update switches to a new upstream version and requires database updates. For the stable distribution, these problems have been fixed in version 1.8.13-2. For the unstable distribution, these problems have been fixed in version 1.9.9.dfsg2-1. We recommend that you upgrade your moodle package.
Family: unix Class: patch
Reference(s): DSA-2115-2
CVE-2010-1613
CVE-2010-1614
CVE-2010-1615
CVE-2010-1616
CVE-2010-1617
CVE-2010-1618
CVE-2010-1619
CVE-2010-2228
CVE-2010-2229
CVE-2010-2230
CVE-2010-2231
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): moodle
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12759
 
Oval ID: oval:org.mitre.oval:def:12759
Title: DSA-2115-1 moodle -- several
Description: Several remote vulnerabilities have been discovered in Moodle, a course management system. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1613 Moodle does not enable the "Regenerate session id during login" setting by default, which makes it easier for remote attackers to conduct session fixation attacks. CVE-2010-1614 Multiple cross-site scripting vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vectors related to the Login-As feature or when the global search feature is enabled, unspecified global search forms in the Global Search Engine. CVE-2010-1615 Multiple SQL injection vulnerabilities allow remote attackers to execute arbitrary SQL commands via vectors related to the add_to_log function in mod/wiki/view.php in the wiki module, or "data validation in some forms elements" related to lib/form/selectgroups.php. CVE-2010-1616 Moodle can create new roles when restoring a course, which allows teachers to create new accounts even if they do not have the moodle/user:create capability. CVE-2010-1617 user/view.php does not properly check a role, which allows remote authenticated users to obtain the full names of other users via the course profile page. CVE-2010-1618 A Cross-site scripting vulnerability in the phpCAS client library allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled in an error message. CVE-2010-1619 A Cross-site scripting vulnerability in the fix_non_standard_entities function in the KSES HTML text cleaning library allows remote attackers to inject arbitrary web script or HTML via crafted HTML entities. CVE-2010-2228 A Cross-site scripting vulnerability in the MNET access-control interface allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username. CVE-2010-2229 Multiple cross-site scripting vulnerabilities in blog/index.php allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. CVE-2010-2230 The KSES text cleaning filter in lib/weblib.php does not properly handle vbscript URIs, which allows remote authenticated users to conduct cross-site scripting attacks via HTML input. CVE-2010-2231 A Cross-site request forgery vulnerability in report/overview/report.php in the quiz module allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter. This security update switches to a new upstream version and requires database updates. For the stable distribution, these problems have been fixed in version 1.8.13-1. For the unstable distribution, these problems have been fixed in version 1.9.9.dfsg2-1. We recommend that you upgrade your moodle package.
Family: unix Class: patch
Reference(s): DSA-2115-1
CVE-2010-1613
CVE-2010-1614
CVE-2010-1615
CVE-2010-1616
CVE-2010-1617
CVE-2010-1618
CVE-2010-1619
CVE-2010-2228
CVE-2010-2229
CVE-2010-2230
CVE-2010-2231
 Version: 5
Platform(s): Debian GNU/Linux 5.0
 Product(s): moodle
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 57

OpenVAS Exploits

Date Description
2010-07-12 Name : Moodle Cross Site Scripting and Cross Site Request Forgery Vulnerabilities
File : nvt/gb_moodle_xss_n_csrf_vuln.nasl
2010-06-25 Name : Fedora Update for moodle FEDORA-2010-10286
File : nvt/gb_fedora_2010_10286_moodle_fc12.nasl
2010-06-25 Name : Fedora Update for moodle FEDORA-2010-10291
File : nvt/gb_fedora_2010_10291_moodle_fc13.nasl
2010-06-25 Name : Fedora Update for moodle FEDORA-2010-10321
File : nvt/gb_fedora_2010_10321_moodle_fc11.nasl
2010-06-21 Name : Moodle Multiple Vulnerabilities
File : nvt/gb_moodle_40944.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
65637 Moodle report/overview/report.php attemptid Parameter Quiz Report Deletion CSRF

Nessus® Vulnerability Scanner

Date Description
2010-10-06 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2115.nasl - Type : ACT_GATHER_INFO
2010-07-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_moodle-100709.nasl - Type : ACT_GATHER_INFO
2010-07-13 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_moodle-100709.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-10286.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-10291.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-10321.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
CONFIRM http://cvs.moodle.org/moodle/mod/quiz/report/overview/report.php?r1=1.98.2.50...
http://docs.moodle.org/en/Moodle_1.8.13_release_notes
http://docs.moodle.org/en/Moodle_1.9.9_release_notes
http://moodle.org/mod/forum/discuss.php?d=152369
http://tracker.moodle.org/browse/MDL-21688
https://bugzilla.redhat.com/show_bug.cgi?id=605809
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.html
MLIST http://www.openwall.com/lists/oss-security/2010/06/21/2
SECUNIA http://secunia.com/advisories/40248
http://secunia.com/advisories/40352
SUSE http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
VUPEN http://www.vupen.com/english/advisories/2010/1530
http://www.vupen.com/english/advisories/2010/1571

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Date Informations
2024-02-02 01:13:28
  • Multiple Updates
2024-02-01 12:03:41
  • Multiple Updates
2023-09-05 12:12:32
  • Multiple Updates
2023-09-05 01:03:32
  • Multiple Updates
2023-09-02 12:12:35
  • Multiple Updates
2023-09-02 01:03:34
  • Multiple Updates
2023-08-12 12:14:57
  • Multiple Updates
2023-08-12 01:03:34
  • Multiple Updates
2023-08-11 12:12:39
  • Multiple Updates
2023-08-11 01:03:42
  • Multiple Updates
2023-08-06 12:12:10
  • Multiple Updates
2023-08-06 01:03:36
  • Multiple Updates
2023-08-04 12:12:15
  • Multiple Updates
2023-08-04 01:03:37
  • Multiple Updates
2023-07-14 12:12:11
  • Multiple Updates
2023-07-14 01:03:35
  • Multiple Updates
2023-03-29 01:13:58
  • Multiple Updates
2023-03-28 12:03:41
  • Multiple Updates
2022-10-11 12:10:53
  • Multiple Updates
2022-10-11 01:03:22
  • Multiple Updates
2021-05-05 01:07:06
  • Multiple Updates
2021-05-04 12:11:45
  • Multiple Updates
2021-04-22 01:12:17
  • Multiple Updates
2020-12-02 09:22:50
  • Multiple Updates
2020-12-01 17:22:46
  • Multiple Updates
2020-05-23 01:42:13
  • Multiple Updates
2020-05-23 00:25:57
  • Multiple Updates
2019-03-28 12:01:07
  • Multiple Updates
2016-04-26 19:53:02
  • Multiple Updates
2014-02-17 10:55:57
  • Multiple Updates
2013-05-10 23:26:59
  • Multiple Updates