CVE-2017-15110 - Vulnerability Details - OpenCVE

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00237.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-5189	In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.
Github GHSA	GHSA-rjh8-w8jg-xwq5	Moodle Exposure of Sensitive Information to an Unauthorized Actor

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.securityfocus.com/bid/101909
https://moodle.org/mod/forum/discuss.php?d=361784

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2017-11-20T14:00:00

Updated: 2024-08-05T19:50:16.042Z

Reserved: 2017-10-08T00:00:00

Link: CVE-2017-15110

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-11-20T14:29:00.247

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-15110

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Moodle 3.x", "vendor": "n/a", "versions": [{"status": "affected", "version": "Moodle 3.x"}]}], "datePublic": "2017-11-20T00:00:00", "descriptions": [{"lang": "en", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}], "problemTypes": [{"descriptions": [{"description": "improper access control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-22T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "101909", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101909"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-15110", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Moodle 3.x", "version": {"version_data": [{"version_value": "Moodle 3.x"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "improper access control"}]}]}, "references": {"reference_data": [{"name": "101909", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101909"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=361784", "refsource": "CONFIRM", "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:50:16.042Z"}, "title": "CVE Program Container", "references": [{"name": "101909", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101909"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-15110", "datePublished": "2017-11-20T14:00:00", "dateReserved": "2017-10-08T00:00:00", "dateUpdated": "2024-08-05T19:50:16.042Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEE2C318-E06D-4270-836A-48F07562EE3A", "versionEndIncluding": "3.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "83BC3C5B-EDCF-4838-B271-715E37F4ED3D", "versionEndIncluding": "3.1.8", "versionStartIncluding": "3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7325E47-944C-4D40-B679-28CD6EDD64BF", "versionEndIncluding": "3.2.5", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "6303BBDF-8425-4BA5-981A-0553CAA88106", "versionEndIncluding": "3.3.2", "versionStartIncluding": "3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}, {"lang": "es", "value": "En las versiones 3.x de Moodle, los estudiantes pueden averiguar las direcciones de correo electr\u00f3nico de otros estudiantes en el mismo curso. Empleando la b\u00fasqueda en la p\u00e1gina Participants, los estudiantes podr\u00edan buscar las direcciones de correo electr\u00f3nico de todos los participantes, independientemente de la visibilidad del correo electr\u00f3nico. Esto permite la enumeraci\u00f3n y la adivinaci\u00f3n de correos electr\u00f3nicos de otros estudiantes."}], "id": "CVE-2017-15110", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-20T14:29:00.247", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101909"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101909"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}