Web application abuses : Moodle Session Fixation Vulnerability (MDL-17207)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.800767

Category: Web application abuses

Title: Moodle Session Fixation Vulnerability (MDL-17207)

Summary: Moodle is prone to a session fixation vulnerability.

Description: Summary:
Moodle is prone to a session fixation vulnerability.

Vulnerability Insight:
The flaws exist due to:

- failure to enable 'Regenerate session id during login', which can be exploited to conduct
session fixation attacks

- creating new roles when restoring a course, which allows teachers to create new accounts if they
do not have the 'moodle/user:create' capability

Vulnerability Impact:
Successful exploitation will allow remote attackers to conduct
session fixation attacks.

Affected Software/OS:
Moodle version 1.8.12 and prior, version 1.9.x prior to
1.9.8.

Solution:
Update to version 1.9.8 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2010-1613
SuSE Security Announcement: SUSE-SR:2010:011 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
http://www.vupen.com/english/advisories/2010/1107
Common Vulnerability Exposure (CVE) ID: CVE-2010-1616
http://tracker.moodle.org/browse/MDL-16658

Copyright Copyright (C) 2010 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.800767
Category:	Web application abuses
Title:	Moodle Session Fixation Vulnerability (MDL-17207)
Summary:	Moodle is prone to a session fixation vulnerability.
Description:	Summary: Moodle is prone to a session fixation vulnerability. Vulnerability Insight: The flaws exist due to: - failure to enable 'Regenerate session id during login', which can be exploited to conduct session fixation attacks - creating new roles when restoring a course, which allows teachers to create new accounts if they do not have the 'moodle/user:create' capability Vulnerability Impact: Successful exploitation will allow remote attackers to conduct session fixation attacks. Affected Software/OS: Moodle version 1.8.12 and prior, version 1.9.x prior to 1.9.8. Solution: Update to version 1.9.8 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2010-1613 SuSE Security Announcement: SUSE-SR:2010:011 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html http://www.vupen.com/english/advisories/2010/1107 Common Vulnerability Exposure (CVE) ID: CVE-2010-1616 http://tracker.moodle.org/browse/MDL-16658
Copyright	Copyright (C) 2010 Greenbone AG