CVE-2014-7836: CSRF
First published: Mon Nov 24 2014(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.7.0<2.7.3 | 2.7.3 |
| composer/moodle/moodle | >=2.6.0<2.6.6 | 2.6.6 |
| composer/moodle/moodle | <2.5.9 | 2.5.9 |
| Moodle | <=2.4.11 | |
| Moodle | =2.5.0 | |
| Moodle | =2.5.1 | |
| Moodle | =2.5.2 | |
| Moodle | =2.5.3 | |
| Moodle | =2.5.4 | |
| Moodle | =2.5.5 | |
| Moodle | =2.5.6 | |
| Moodle | =2.5.7 | |
| Moodle | =2.5.8 | |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 | |
| Moodle | =2.6.2 | |
| Moodle | =2.6.3 | |
| Moodle | =2.6.4 | |
| Moodle | =2.6.5 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924
- http://openwall.com/lists/oss-security/2014/11/17/11
- http://www.securitytracker.com/id/1031215
- https://moodle.org/mod/forum/discuss.php?d=275162
- https://nvd.nist.gov/vuln/detail/CVE-2014-7836
- https://github.com/moodle/moodle/commit/48ea41c48f3dcf28fb40fe0b0a1f0c4c0453d34d
- https://github.com/moodle/moodle/commit/75d7e25198eeb6255963e2e46212d89b14e05dd7
- https://github.com/moodle/moodle/commit/babaf596e10ee525e58314b36f8063c65b59aa7d
- https://github.com/moodle/moodle/commit/bac38b11ab95862a831c6e6e60c03caf64eda599
- https://web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215
- https://github.com/advisories/GHSA-wpq5-q3mj-8f3r (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-7836?
CVE-2014-7836 is classified as a moderate severity vulnerability due to its nature of enabling cross-site request forgery attacks.
How do I fix CVE-2014-7836?
To fix CVE-2014-7836, upgrade Moodle to at least version 2.5.9, 2.6.6, or 2.7.3 depending on your current version.
What versions of Moodle are affected by CVE-2014-7836?
CVE-2014-7836 affects Moodle versions 2.4.11 and earlier, as well as 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3.
What type of vulnerabilities does CVE-2014-7836 represent?
CVE-2014-7836 represents multiple cross-site request forgery (CSRF) vulnerabilities.
Can CVE-2014-7836 allow unauthorized access to user accounts?
Yes, CVE-2014-7836 can allow remote attackers to hijack the authentication of arbitrary users.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wpq5-q3mj-8f3r
- alias/CVE-2014-7836
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.4.11
- version/moodle/2.5.0
- version/moodle/2.5.1
- version/moodle/2.5.2
- version/moodle/2.5.3
- version/moodle/2.5.4
- version/moodle/2.5.5
- version/moodle/2.5.6
- version/moodle/2.5.7
- version/moodle/2.5.8
- version/moodle/2.6.0
- version/moodle/2.6.1
- version/moodle/2.6.2
- version/moodle/2.6.3
- version/moodle/2.6.4
- version/moodle/2.6.5
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2