What is the severity of CVE-2014-3552?

CVE-2014-3552 has a medium severity rating due to the potential for session hijacking by authenticated users.

How do I fix CVE-2014-3552?

To fix CVE-2014-3552, update your Moodle installation to version 2.4.11, 2.5.7, or later.

Which Moodle versions are affected by CVE-2014-3552?

CVE-2014-3552 affects Moodle versions up to and including 2.3.11, all 2.4.x versions before 2.4.11, and all 2.5.x versions before 2.5.7.

Can CVE-2014-3552 be exploited remotely?

Yes, CVE-2014-3552 can be exploited remotely by authenticated users who interact with the plugin.

What impact does CVE-2014-3552 have on user sessions?

CVE-2014-3552 allows attackers to hijack user sessions by taking advantage of an unverified session ID.

Vulnerability/
CVE-2014-3552

medium

CWE

287

29/7/2014

6/8/2024

CVE-2014-3552

First published: Tue Jul 29 2014(Updated: )

The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Moodle	=2.4.0
Moodle	=2.4.1
Moodle	=2.4.2
Moodle	=2.4.3
Moodle	=2.4.4
Moodle	=2.4.5
Moodle	=2.4.6
Moodle	=2.4.7
Moodle	=2.4.8
Moodle	=2.4.9
Moodle	=2.4.10
Moodle	<=2.3.11
Moodle	=2.3.0
Moodle	=2.3.1
Moodle	=2.3.2
Moodle	=2.3.3
Moodle	=2.3.4
Moodle	=2.3.5
Moodle	=2.3.6
Moodle	=2.3.7
Moodle	=2.3.8
Moodle	=2.3.9
Moodle	=2.3.10
Moodle	=2.5.0
Moodle	=2.5.1
Moodle	=2.5.2
Moodle	=2.5.3
Moodle	=2.5.4
Moodle	=2.5.5
Moodle	=2.5.6

Remedy

http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-3552?
CVE-2014-3552 has a medium severity rating due to the potential for session hijacking by authenticated users.
How do I fix CVE-2014-3552?
To fix CVE-2014-3552, update your Moodle installation to version 2.4.11, 2.5.7, or later.
Which Moodle versions are affected by CVE-2014-3552?
CVE-2014-3552 affects Moodle versions up to and including 2.3.11, all 2.4.x versions before 2.4.11, and all 2.5.x versions before 2.5.7.
Can CVE-2014-3552 be exploited remotely?
Yes, CVE-2014-3552 can be exploited remotely by authenticated users who interact with the plugin.
What impact does CVE-2014-3552 have on user sessions?
CVE-2014-3552 allows attackers to hijack user sessions by taking advantage of an unverified session ID.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/remedy
agent/last-modified-date
agent/severity
agent/references
agent/author
agent/description
agent/event
agent/first-publish-date
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/moodle
canonical/moodle
version/moodle/2.4.0
version/moodle/2.4.1
version/moodle/2.4.2
version/moodle/2.4.3
version/moodle/2.4.4
version/moodle/2.4.5
version/moodle/2.4.6
version/moodle/2.4.7
version/moodle/2.4.8
version/moodle/2.4.9
version/moodle/2.4.10
version/moodle/2.3.11
version/moodle/2.3.0
version/moodle/2.3.1
version/moodle/2.3.2
version/moodle/2.3.3
version/moodle/2.3.4
version/moodle/2.3.5
version/moodle/2.3.6
version/moodle/2.3.7
version/moodle/2.3.8
version/moodle/2.3.9
version/moodle/2.3.10
version/moodle/2.5.0
version/moodle/2.5.1
version/moodle/2.5.2
version/moodle/2.5.3
version/moodle/2.5.4
version/moodle/2.5.5
version/moodle/2.5.6