CVSS: 5.0EPSS: 0%CPEs: 12EXPL: 0CVE-2012-3394
https://notcve.org/view.php?id=CVE-2012-3394
auth/ldap/ntlmsso_attempt.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 redirects users from an https LDAP login URL to an http URL, which allows remote attackers to obtain sensitive information by sniffing the network. auth/ldap/ntlmsso_attempt.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteriores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 redirecciona usuarios desde una dirección URL HTTPS de login LDAP, lo que permite atacantes remotos a obtener información sensible espiando la red. • http://git.moodle.org/gw?p=moodle.git%3Ba=commit%3Bh=9d8d2ee6192e8b7ebb6713bd6215e06f94e2a9f7 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76960 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.0EPSS: 0%CPEs: 22EXPL: 0CVE-2012-3397
https://notcve.org/view.php?id=CVE-2012-3397
lib/modinfolib.php in Moodle 2.0.x before 2.0.10, 2.1.x before 2.1.7, 2.2.x before 2.2.4, and 2.3.x before 2.3.1 does not check for a group-membership requirement when determining whether an activity is unavailable or hidden, which allows remote authenticated users to bypass intended access restrictions by selecting an activity that is configured for a group of other users. lib/modinfolib.php en Moodle v2.0.x anteriores a v2.0.10, v2.1.x anteiores a v2.1.7, v2.2.x anteriores a v2.2.4, y v2.3.x anteriores a v2.3.1 no comprueban los requisitos para un grupo de miembros cuando una actividad no está disponible u oculta, lo que permite a usuarios remotos autenticados evitar las restricciones de acceso especificadas seleccionando una actividad que está configurada para un grupo de otros usuarios. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33466 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76963 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 5EXPL: 0CVE-2012-3388
https://notcve.org/view.php?id=CVE-2012-3388
The is_enrolled function in lib/accesslib.php in Moodle 2.2.x before 2.2.4 and 2.3.x before 2.3.1 does not properly interact with the caching feature, which might allow remote authenticated users to bypass an intended capability check via unspecified vectors that trigger caching of a user record. La función is_enrolled en lib/accesslib.php en Moodle v2.2.x anteriores a v2.2.4 y v2.3.x anteriores a v2.3.1 no interactúa de forma adecuada con la característica de cacheado, lo qe podría permitir a usuarios remotos autenticados evitar el control de capacidad a través de vectores que provocan un cacheado del registro de usuario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33916 http://openwall.com/lists/oss-security/2012/07/17/1 http://secunia.com/advisories/49890 http://www.securityfocus.com/bid/54481 https://exchange.xforce.ibmcloud.com/vulnerabilities/76955 • CWE-264: Permissions, Privileges, and Access Controls •