Moodle Session Fixation Vulnerability Network Vulnerability

Summary

This host is running Moodle and is prone to session fixation vulnerability

Impact

Successful exploitation will allow remote attackers to conduct session fixation attacks. Impact level: System/Application

Solution

Upgrade to latest version 1.9.8 http://download.moodle.org/

Insight

The flaws are exists due to: - failure to enable 'Regenerate session id during login', which can be exploited to conduct session fixation attacks. - creating new roles when restoring a course, which allows teachers to create new accounts if they do not have the 'moodle/user:create' capability.

Affected

Moodle version 1.8.12 and prior Moodle version 1.9.x prior to 1.9.8

References

http://moodle.org/security/
http://tracker.moodle.org/browse/MDL-17207

Updated on 2015-03-25

Severity

Classification

CVE CVE-2010-1613, CVE-2010-1616

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
AdaptCMS Lite Cross Site Scripting and Remote File Include Vulnerabilities
Apache Tomcat NIO Connector Denial of Service Vulnerability
Apache mod_proxy_ftp Wildcard Characters XSS Vulnerability
Apache Struts2/XWork Remote Command Execution Vulnerability

Take action and discover your vulnerabilities