CVE-2010-2231: CSRF
First published: Mon Jun 28 2010(Updated: )
Cross-site request forgery (CSRF) vulnerability in report/overview/report.php in the quiz module in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to hijack the authentication of arbitrary users for requests that delete quiz attempts via the attemptid parameter.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Moodle | =1.5.2 | |
| Moodle | =1.8.8 | |
| Moodle | =1.6.1 | |
| Moodle | =1.8.2 | |
| Moodle | =1.2.1 | |
| Moodle | =1.4.2 | |
| Moodle | =1.6.8 | |
| Moodle | =1.6.5 | |
| Moodle | =1.3.3 | |
| Moodle | =1.4.3 | |
| Moodle | <=1.8.12 | |
| Moodle | =1.4.5 | |
| Moodle | =1.7.6 | |
| Moodle | =1.6.2 | |
| Moodle | =1.8.6 | |
| Moodle | =1.7.1 | |
| Moodle | =1.8.5 | |
| Moodle | =1.8.3 | |
| Moodle | =1.3.2 | |
| Moodle | =1.8.9 | |
| Moodle | =1.8.7 | |
| Moodle | =1.8.10 | |
| Moodle | =1.6.4 | |
| Moodle | =1.1.1 | |
| Moodle | =1.3.1 | |
| Moodle | =1.6.7 | |
| Moodle | =1.4.4 | |
| Moodle | =1.7.3 | |
| Moodle | =1.7.2 | |
| Moodle | =1.5.3 | |
| Moodle | =1.6.3 | |
| Moodle | =1.8.11 | |
| Moodle | =1.6.6 | |
| Moodle | =1.5 | |
| Moodle | =1.4.1 | |
| Moodle | =1.7.5 | |
| Moodle | =1.5.1 | |
| Moodle | =1.3.4 | |
| Moodle | =1.8.4 | |
| Moodle | =1.8.1 | |
| Moodle | =1.7.4 | |
| Moodle | =1.2.0 | |
| Moodle | =1.3.0 | |
| Moodle | =1.6.0 | |
| Moodle | =1.5.0-beta | |
| Moodle | =1.9.4 | |
| Moodle | =1.9.1 | |
| Moodle | =1.9.6 | |
| Moodle | =1.9.2 | |
| Moodle | =1.9.3 | |
| Moodle | =1.9.5 | |
| Moodle | =1.9.8 | |
| Moodle | =1.9.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=605809
- http://secunia.com/advisories/40248
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043291.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043340.html
- http://www.openwall.com/lists/oss-security/2010/06/21/2
- http://docs.moodle.org/en/Moodle_1.8.13_release_notes
- http://cvs.moodle.org/moodle/mod/quiz/report/overview/report.php?r1=1.98.2.50&r2=1.98.2.51
- http://secunia.com/advisories/40352
- http://www.vupen.com/english/advisories/2010/1530
- http://docs.moodle.org/en/Moodle_1.9.9_release_notes
- http://www.vupen.com/english/advisories/2010/1571
- http://lists.fedoraproject.org/pipermail/package-announce/2010-June/043285.html
- http://moodle.org/mod/forum/discuss.php?d=152369
- http://tracker.moodle.org/browse/MDL-21688
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
Frequently Asked Questions
What is the severity of CVE-2010-2231?
CVE-2010-2231 is considered a moderate severity vulnerability due to the potential for unauthorized users to delete quiz attempts.
How do I fix CVE-2010-2231?
To fix CVE-2010-2231, upgrade Moodle to version 1.9.9 or later, or to 1.8.13 or later.
What types of attacks are possible with CVE-2010-2231?
CVE-2010-2231 allows attackers to perform cross-site request forgery (CSRF) attacks that can hijack user authentication.
Which versions of Moodle are affected by CVE-2010-2231?
Moodle versions prior to 1.8.13 and 1.9.x prior to 1.9.9 are affected by CVE-2010-2231.
Is CVE-2010-2231 easy to exploit?
Exploitation of CVE-2010-2231 is relatively easy, as it requires the attacker to trick a user into clicking a malicious link.
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/references
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/moodle
- canonical/moodle
- version/moodle/1.5.2
- version/moodle/1.8.8
- version/moodle/1.6.1
- version/moodle/1.8.2
- version/moodle/1.2.1
- version/moodle/1.4.2
- version/moodle/1.6.8
- version/moodle/1.6.5
- version/moodle/1.3.3
- version/moodle/1.4.3
- version/moodle/1.8.12
- version/moodle/1.4.5
- version/moodle/1.7.6
- version/moodle/1.6.2
- version/moodle/1.8.6
- version/moodle/1.7.1
- version/moodle/1.8.5
- version/moodle/1.8.3
- version/moodle/1.3.2
- version/moodle/1.8.9
- version/moodle/1.8.7
- version/moodle/1.8.10
- version/moodle/1.6.4
- version/moodle/1.1.1
- version/moodle/1.3.1
- version/moodle/1.6.7
- version/moodle/1.4.4
- version/moodle/1.7.3
- version/moodle/1.7.2
- version/moodle/1.5.3
- version/moodle/1.6.3
- version/moodle/1.8.11
- version/moodle/1.6.6
- version/moodle/1.5
- version/moodle/1.4.1
- version/moodle/1.7.5
- version/moodle/1.5.1
- version/moodle/1.3.4
- version/moodle/1.8.4
- version/moodle/1.8.1
- version/moodle/1.7.4
- version/moodle/1.2.0
- version/moodle/1.3.0
- version/moodle/1.6.0
- version/moodle/1.5.0-beta
- version/moodle/1.9.4
- version/moodle/1.9.1
- version/moodle/1.9.6
- version/moodle/1.9.2
- version/moodle/1.9.3
- version/moodle/1.9.5
- version/moodle/1.9.8
- version/moodle/1.9.7