CVE-2014-0126: CSRF
First published: Sat Mar 22 2014(Updated: )
Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.6.0<2.6.2 | 2.6.2 |
| composer/moodle/moodle | >=2.5.0<2.5.5 | 2.5.5 |
| composer/moodle/moodle | <2.4.9 | 2.4.9 |
| Moodle | <=2.3.11 | |
| Moodle | =2.0.0 | |
| Moodle | =2.0.1 | |
| Moodle | =2.0.2 | |
| Moodle | =2.0.3 | |
| Moodle | =2.0.4 | |
| Moodle | =2.0.5 | |
| Moodle | =2.0.6 | |
| Moodle | =2.0.7 | |
| Moodle | =2.0.8 | |
| Moodle | =2.0.9 | |
| Moodle | =2.1.0 | |
| Moodle | =2.1.1 | |
| Moodle | =2.1.2 | |
| Moodle | =2.1.3 | |
| Moodle | =2.1.4 | |
| Moodle | =2.1.5 | |
| Moodle | =2.1.6 | |
| Moodle | =2.1.7 | |
| Moodle | =2.1.8 | |
| Moodle | =2.1.9 | |
| Moodle | =2.1.10 | |
| Moodle | =2.2.0 | |
| Moodle | =2.2.1 | |
| Moodle | =2.2.2 | |
| Moodle | =2.2.3 | |
| Moodle | =2.2.4 | |
| Moodle | =2.2.5 | |
| Moodle | =2.2.6 | |
| Moodle | =2.2.7 | |
| Moodle | =2.2.8 | |
| Moodle | =2.2.9 | |
| Moodle | =2.2.10 | |
| Moodle | =2.2.11 | |
| Moodle | =2.3.0 | |
| Moodle | =2.3.1 | |
| Moodle | =2.3.2 | |
| Moodle | =2.3.3 | |
| Moodle | =2.3.4 | |
| Moodle | =2.3.5 | |
| Moodle | =2.3.6 | |
| Moodle | =2.3.7 | |
| Moodle | =2.3.8 | |
| Moodle | =2.3.9 | |
| Moodle | =2.3.10 | |
| Moodle | =2.4.0 | |
| Moodle | =2.4.1 | |
| Moodle | =2.4.2 | |
| Moodle | =2.4.3 | |
| Moodle | =2.4.4 | |
| Moodle | =2.4.5 | |
| Moodle | =2.4.6 | |
| Moodle | =2.4.7 | |
| Moodle | =2.4.8 | |
| Moodle | =2.5.0 | |
| Moodle | =2.5.1 | |
| Moodle | =2.5.2 | |
| Moodle | =2.5.3 | |
| Moodle | =2.5.4 | |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146
- http://openwall.com/lists/oss-security/2014/03/17/1
- https://moodle.org/mod/forum/discuss.php?d=256423
- https://nvd.nist.gov/vuln/detail/CVE-2014-0126
- https://github.com/moodle/moodle/commit/41a19bffeef0ee6b0560a5ff808fd4bd35075fa1
- https://github.com/moodle/moodle/commit/caf766507771e07c1752ece1f37a32b2b4f6d8b9
- https://github.com/moodle/moodle/commit/ea8647b39ec9cf1d73e04b05559bd12d97aa5229
- https://github.com/moodle/moodle/commit/eee61675f042a9ec89f8f6d219b4ded010198fe4
- https://github.com/advisories/GHSA-4wvg-7886-83gv (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-0126?
CVE-2014-0126 has a medium severity due to its potential to allow CSRF attacks on Moodle administrators.
How do I fix CVE-2014-0126?
To fix CVE-2014-0126, upgrade Moodle to version 2.6.2 or later, or to 2.5.5 or later, or to 2.4.9 or later.
What versions of Moodle are affected by CVE-2014-0126?
CVE-2014-0126 affects Moodle versions 2.3.11 and below, as well as versions 2.4.x prior to 2.4.9, 2.5.x prior to 2.5.5, and 2.6.x prior to 2.6.2.
What type of vulnerability is CVE-2014-0126?
CVE-2014-0126 is a cross-site request forgery (CSRF) vulnerability.
Can CVE-2014-0126 allow unauthorized access?
Yes, CVE-2014-0126 can allow remote attackers to hijack the authentication of administrators in Moodle.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4wvg-7886-83gv
- alias/CVE-2014-0126
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/weakness
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.3.11
- version/moodle/2.0.0
- version/moodle/2.0.1
- version/moodle/2.0.2
- version/moodle/2.0.3
- version/moodle/2.0.4
- version/moodle/2.0.5
- version/moodle/2.0.6
- version/moodle/2.0.7
- version/moodle/2.0.8
- version/moodle/2.0.9
- version/moodle/2.1.0
- version/moodle/2.1.1
- version/moodle/2.1.2
- version/moodle/2.1.3
- version/moodle/2.1.4
- version/moodle/2.1.5
- version/moodle/2.1.6
- version/moodle/2.1.7
- version/moodle/2.1.8
- version/moodle/2.1.9
- version/moodle/2.1.10
- version/moodle/2.2.0
- version/moodle/2.2.1
- version/moodle/2.2.2
- version/moodle/2.2.3
- version/moodle/2.2.4
- version/moodle/2.2.5
- version/moodle/2.2.6
- version/moodle/2.2.7
- version/moodle/2.2.8
- version/moodle/2.2.9
- version/moodle/2.2.10
- version/moodle/2.2.11
- version/moodle/2.3.0
- version/moodle/2.3.1
- version/moodle/2.3.2
- version/moodle/2.3.3
- version/moodle/2.3.4
- version/moodle/2.3.5
- version/moodle/2.3.6
- version/moodle/2.3.7
- version/moodle/2.3.8
- version/moodle/2.3.9
- version/moodle/2.3.10
- version/moodle/2.4.0
- version/moodle/2.4.1
- version/moodle/2.4.2
- version/moodle/2.4.3
- version/moodle/2.4.4
- version/moodle/2.4.5
- version/moodle/2.4.6
- version/moodle/2.4.7
- version/moodle/2.4.8
- version/moodle/2.5.0
- version/moodle/2.5.1
- version/moodle/2.5.2
- version/moodle/2.5.3
- version/moodle/2.5.4
- version/moodle/2.6.0
- version/moodle/2.6.1