CVE-2016-2156: Infoleak
First published: Sun May 22 2016(Updated: )
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=3.0.0<3.0.3 | 3.0.3 |
| composer/moodle/moodle | >=2.9.0<2.9.5 | 2.9.5 |
| composer/moodle/moodle | >=2.8.0<2.8.11 | 2.8.11 |
| composer/moodle/moodle | <2.7.13 | 2.7.13 |
| Moodle | <=2.6.11 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.7.6 | |
| Moodle | =2.7.7 | |
| Moodle | =2.7.8 | |
| Moodle | =2.7.9 | |
| Moodle | =2.7.10 | |
| Moodle | =2.7.11 | |
| Moodle | =2.7.12 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 | |
| Moodle | =2.8.4 | |
| Moodle | =2.8.5 | |
| Moodle | =2.8.6 | |
| Moodle | =2.8.7 | |
| Moodle | =2.8.8 | |
| Moodle | =2.8.9 | |
| Moodle | =2.8.10 | |
| Moodle | =2.9.0 | |
| Moodle | =2.9.1 | |
| Moodle | =2.9.2 | |
| Moodle | =2.9.3 | |
| Moodle | =2.9.4 | |
| Moodle | =3.0.0 | |
| Moodle | =3.0.1 | |
| Moodle | =3.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808
- http://www.openwall.com/lists/oss-security/2016/03/21/1
- http://www.securitytracker.com/id/1035333
- https://moodle.org/mod/forum/discuss.php?d=330178
- https://nvd.nist.gov/vuln/detail/CVE-2016-2156
- https://github.com/moodle/moodle/commit/39b851376337b853c8d403dcba64645d16f0a9bd
- https://github.com/moodle/moodle/commit/783e695e00689d67925d6f83722d344c0bd6de94
- https://github.com/moodle/moodle/commit/854e7b8ed0a84eb91ca455ca290427d22bc20baf
- https://github.com/moodle/moodle/commit/c631b112d6e729c84f5d559371a399fe54502ba3
- https://github.com/moodle/moodle/commit/d63ac148b95e5f909618e75efd76f6b5032da158
- https://web.archive.org/web/20160424224349/http://www.securitytracker.com/id/1035333
- https://github.com/advisories/GHSA-h8vc-v44p-5r2q (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-2156?
CVE-2016-2156 has a medium severity level, allowing remote authenticated users to access sensitive calendar event data.
How do I fix CVE-2016-2156?
To fix CVE-2016-2156, upgrade Moodle to version 2.7.13, 2.8.11, 2.9.5, or 3.0.3, as these versions address the vulnerability.
What versions of Moodle are affected by CVE-2016-2156?
CVE-2016-2156 affects Moodle versions up to 2.6.11 and all versions of 2.7.x prior to 2.7.13, 2.8.x prior to 2.8.11, 2.9.x prior to 2.9.5, and 3.0.x prior to 3.0.3.
Who can exploit the vulnerability in CVE-2016-2156?
The vulnerability in CVE-2016-2156 can be exploited by remote authenticated users who are able to access the Moodle platform.
What type of information can be exposed through CVE-2016-2156?
CVE-2016-2156 can expose sensitive calendar-event data that should be hidden from unauthorized users.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h8vc-v44p-5r2q
- alias/CVE-2016-2156
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/description
- agent/author
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.6.11
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.7.6
- version/moodle/2.7.7
- version/moodle/2.7.8
- version/moodle/2.7.9
- version/moodle/2.7.10
- version/moodle/2.7.11
- version/moodle/2.7.12
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3
- version/moodle/2.8.4
- version/moodle/2.8.5
- version/moodle/2.8.6
- version/moodle/2.8.7
- version/moodle/2.8.8
- version/moodle/2.8.9
- version/moodle/2.8.10
- version/moodle/2.9.0
- version/moodle/2.9.1
- version/moodle/2.9.2
- version/moodle/2.9.3
- version/moodle/2.9.4
- version/moodle/3.0.0
- version/moodle/3.0.1
- version/moodle/3.0.2