Vulnerability CVE-2008-3325

Vulnerability Name:

CVE-2008-3325 (CCN-43964)

Assigned:

2008-07-16

Published:

2008-07-16

Updated:

2018-11-01

Summary:

Cross-site request forgery (CSRF) vulnerability in Moodle 1.6.x before 1.6.7 and 1.7.x before 1.7.5 allows remote attackers to modify profile settings and gain privileges as other users via a link or IMG tag to the user edit profile page.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
5.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-352

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2008-3325

Source: SUSE
Type: Third Party Advisory
SUSE-SR:2008:016

Source: CCN
Type: MSA-08-0013
CSRF (Cross-site Request Forgery) on Moodle edit profile page

Source: CONFIRM
Type: Patch, Vendor Advisory
http://moodle.org/mod/forum/discuss.php?d=101405

Source: CCN
Type: SA31196
Moodle Script Insertion and Cross-Site Request Forgery

Source: SECUNIA
Type: Third Party Advisory
31196

Source: SECUNIA
Type: Third Party Advisory
31339

Source: DEBIAN
Type: Third Party Advisory
DSA-1691

Source: DEBIAN
Type: DSA-1691
moodle -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 47128
Moodle Edit Profile Page CSRF

Source: CCN
Type: ProCheckUp: PR08-16
CSRF (Cross-site Request Forgery) on Moodle edit profile page

Source: MISC
Type: Broken Link
http://www.procheckup.com/Vulnerability_PR08-16.php

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20080722 PR08-16: CSRF (Cross-site Request Forgery) on Moodle edit profile page

Source: XF
Type: UNKNOWN
moodle-editprofile-csrf(43964)

Source: XF
Type: VDB Entry
moodle-editprofile-csrf(43964)

Source: SUSE
Type: SUSE-SR:2008:016
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:moodle:moodle:*:*:*:*:*:*:*:* (Version >= 1.6 and < 1.6.7)

OR cpe:/a:moodle:moodle:*:*:*:*:*:*:*:* (Version >= 1.7 and < 1.7.5)

Configuration 2:

cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:moodle:moodle:1.6.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.7.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.6.6:*:*:*:*:*:*:*

AND

cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:7939	P	DSA-1691 moodle -- several vulnerabilities	2014-06-23
oval:org.mitre.oval:def:20060	P	DSA-1691-1 moodle - several vulnerabilities	2014-06-23
oval:org.opensuse.security:def:20083325	V	CVE-2008-3325	2012-07-03
oval:org.debian:def:1691	V	several vulnerabilities	2008-12-22

BACK