CVE-2016-2190
First published: Sun May 22 2016(Updated: )
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/moodle/moodle | >=3.0.0<3.0.3 | 3.0.3 |
| composer/moodle/moodle | >=2.9.0<2.9.5 | 2.9.5 |
| composer/moodle/moodle | >=2.8.0<2.8.11 | 2.8.11 |
| composer/moodle/moodle | >=2.7.0<2.7.13 | 2.7.13 |
| composer/moodle/moodle | <=2.6.11 | |
| Moodle | <=2.6.11 | |
| Moodle | =2.7.0 | |
| Moodle | =2.7.1 | |
| Moodle | =2.7.2 | |
| Moodle | =2.7.3 | |
| Moodle | =2.7.4 | |
| Moodle | =2.7.5 | |
| Moodle | =2.7.6 | |
| Moodle | =2.7.7 | |
| Moodle | =2.7.8 | |
| Moodle | =2.7.9 | |
| Moodle | =2.7.10 | |
| Moodle | =2.7.11 | |
| Moodle | =2.7.12 | |
| Moodle | =2.8.0 | |
| Moodle | =2.8.1 | |
| Moodle | =2.8.2 | |
| Moodle | =2.8.3 | |
| Moodle | =2.8.4 | |
| Moodle | =2.8.5 | |
| Moodle | =2.8.6 | |
| Moodle | =2.8.7 | |
| Moodle | =2.8.8 | |
| Moodle | =2.8.9 | |
| Moodle | =2.8.10 | |
| Moodle | =2.9.0 | |
| Moodle | =2.9.1 | |
| Moodle | =2.9.2 | |
| Moodle | =2.9.3 | |
| Moodle | =2.9.4 | |
| Moodle | =3.0.0 | |
| Moodle | =3.0.1 | |
| Moodle | =3.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
- http://www.openwall.com/lists/oss-security/2016/03/21/1
- http://www.securitytracker.com/id/1035333
- https://moodle.org/mod/forum/discuss.php?d=330181
- https://nvd.nist.gov/vuln/detail/CVE-2016-2190
- https://web.archive.org/web/20210801130148/http://www.securitytracker.com/id/1035333
- https://github.com/advisories/GHSA-r9pc-g29w-f86j (Advisory)
- https://github.com/moodle/moodle/commit/1688564a6eee6000013f6e185f704049283ae375
- https://github.com/moodle/moodle/commit/190757854d9ce3b3ce3100dc76de54277f3bdd14
- https://github.com/moodle/moodle/commit/314d105c169c67e3ce750f76b21d99983d4a9ff5
- https://github.com/moodle/moodle/commit/4d6f159f681882496e05ddacf2561929d2d23f0e
- https://github.com/moodle/moodle/commit/9f91c23536a31ba2dc91b0ba2ae726b1757a20cb
Frequently Asked Questions
What is the severity of CVE-2016-2190?
The severity of CVE-2016-2190 is classified as medium because it allows an attacker to access sensitive information.
How do I fix CVE-2016-2190?
To fix CVE-2016-2190, update Moodle to at least version 2.7.13, 2.8.11, 2.9.5, or 3.0.3.
What versions of Moodle are affected by CVE-2016-2190?
Moodle versions up to 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 are affected by CVE-2016-2190.
Is CVE-2016-2190 easily exploitable?
Yes, CVE-2016-2190 can be easily exploited by remote attackers who can access referer logs.
What types of information can be compromised due to CVE-2016-2190?
CVE-2016-2190 allows attackers to obtain sensitive URL information that could potentially lead to further exploitation.
- agent/author
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-r9pc-g29w-f86j
- alias/CVE-2016-2190
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/softwarecombine
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/moodle
- canonical/moodle
- version/moodle/2.6.11
- version/moodle/2.7.0
- version/moodle/2.7.1
- version/moodle/2.7.2
- version/moodle/2.7.3
- version/moodle/2.7.4
- version/moodle/2.7.5
- version/moodle/2.7.6
- version/moodle/2.7.7
- version/moodle/2.7.8
- version/moodle/2.7.9
- version/moodle/2.7.10
- version/moodle/2.7.11
- version/moodle/2.7.12
- version/moodle/2.8.0
- version/moodle/2.8.1
- version/moodle/2.8.2
- version/moodle/2.8.3
- version/moodle/2.8.4
- version/moodle/2.8.5
- version/moodle/2.8.6
- version/moodle/2.8.7
- version/moodle/2.8.8
- version/moodle/2.8.9
- version/moodle/2.8.10
- version/moodle/2.9.0
- version/moodle/2.9.1
- version/moodle/2.9.2
- version/moodle/2.9.3
- version/moodle/2.9.4
- version/moodle/3.0.0
- version/moodle/3.0.1
- version/moodle/3.0.2