CVE-2014-7838: CSRF
First published: Mon Nov 24 2014(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in the Forum module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for requests that set a tracking preference within (1) mod/forum/deprecatedlib.php, (2) mod/forum/forum.js, (3) mod/forum/index.php, or (4) mod/forum/lib.php.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=2.7.0<2.7.3 | 2.7.3 |
| composer/moodle/moodle | >=2.6.0<2.6.6 | 2.6.6 |
| composer/moodle/moodle | <2.5.9 | 2.5.9 |
| Moodle | <=2.4.11 | |
| Moodle | =2.5.0 | |
| Moodle | =2.5.1 | |
| Moodle | =2.5.2 | |
| Moodle | =2.5.3 | |
| Moodle | =2.5.4 | |
| Moodle | =2.5.5 | |
| Moodle | =2.5.6 | |
| Moodle | =2.5.7 | |
| Moodle | =2.5.8 | |
| Moodle | =2.6.0 | |
| Moodle | =2.6.1 | |
| Moodle | =2.6.2 | |
| Moodle | =2.6.3 | |
| Moodle | =2.6.4 | |
| Moodle | =2.6.5 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019
- http://openwall.com/lists/oss-security/2014/11/17/11
- http://www.securitytracker.com/id/1031215
- https://moodle.org/mod/forum/discuss.php?d=275164
- https://nvd.nist.gov/vuln/detail/CVE-2014-7838
- https://github.com/moodle/moodle/commit/545eb1bcfdbfc352bf6c31edf440485ba6d5af42
- https://github.com/moodle/moodle/commit/7a311adbba9471edb5a49e4c4b8c356c87f0e44b
- https://github.com/moodle/moodle/commit/bef4a5e01739f2b239c0910b9e1aa2841b979f7d
- https://github.com/moodle/moodle/commit/c812956efda7d10dfdce5ae19c0ec8879de38a31
- https://web.archive.org/web/20150914064838/http://www.securitytracker.com/id/1031215
- https://github.com/advisories/GHSA-43r4-vm25-qm78 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2014-7838?
CVE-2014-7838 has a medium severity rating due to its potential impact on user authentication and privacy.
How do I fix CVE-2014-7838?
To fix CVE-2014-7838, upgrade to Moodle version 2.5.9, 2.6.6, or 2.7.3 or later.
What type of vulnerability is CVE-2014-7838?
CVE-2014-7838 is classified as a cross-site request forgery (CSRF) vulnerability.
Who is affected by CVE-2014-7838?
CVE-2014-7838 affects users of Moodle versions 2.4.11 and earlier, as well as 2.5.x, 2.6.x, and 2.7.x prior to their respective fixed versions.
What can an attacker do exploiting CVE-2014-7838?
An attacker exploiting CVE-2014-7838 could hijack the authentication of arbitrary users to set tracking preferences.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-43r4-vm25-qm78
- alias/CVE-2014-7838
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- agent/softwarecombine
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.4.11
- version/moodle/2.5.0
- version/moodle/2.5.1
- version/moodle/2.5.2
- version/moodle/2.5.3
- version/moodle/2.5.4
- version/moodle/2.5.5
- version/moodle/2.5.6
- version/moodle/2.5.7
- version/moodle/2.5.8
- version/moodle/2.6.0
- version/moodle/2.6.1
- version/moodle/2.6.2
- version/moodle/2.6.3
- version/moodle/2.6.4
- version/moodle/2.6.5
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2