Number: AV17-036
Date: March 21 2017
Purpose
The purpose of this advisory is to bring attention to multiple Moodle security vulnerabilities.
Assessment
Moodle has released the following support articles:
MSA-17-0005 - SQL injection via user preferences
MSA-17-0007 - Global search displays user names for unauthenticated users
MSA-17-0008 - XSS in evidence of prior learning
MSA-17-0009 - XSS in attachments to evidence of prior learning
Versions Affected: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
CVE References: CVE-2017-2641, CVE-2017-2643, CVE-2017-2644, CVE-2017-2645
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References: