CVE-2017-15110 - OpenCVE

In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/101909
https://moodle.org/mod/forum/discuss.php?d=361784

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2017-11-20T14:00:00

Updated: 2024-08-05T19:50:16.042Z

Reserved: 2017-10-08T00:00:00

Link: CVE-2017-15110

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-11-20T14:29:00.247

Modified: 2017-12-06T14:27:22.800

Link: CVE-2017-15110

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Moodle 3.x", "vendor": "n/a", "versions": [{"status": "affected", "version": "Moodle 3.x"}]}], "datePublic": "2017-11-20T00:00:00", "descriptions": [{"lang": "en", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}], "problemTypes": [{"descriptions": [{"description": "improper access control", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-22T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "101909", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101909"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2017-15110", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Moodle 3.x", "version": {"version_data": [{"version_value": "Moodle 3.x"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "improper access control"}]}]}, "references": {"reference_data": [{"name": "101909", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101909"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=361784", "refsource": "CONFIRM", "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T19:50:16.042Z"}, "title": "CVE Program Container", "references": [{"name": "101909", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101909"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-15110", "datePublished": "2017-11-20T14:00:00", "dateReserved": "2017-10-08T00:00:00", "dateUpdated": "2024-08-05T19:50:16.042Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEE2C318-E06D-4270-836A-48F07562EE3A", "versionEndIncluding": "3.0.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "83BC3C5B-EDCF-4838-B271-715E37F4ED3D", "versionEndIncluding": "3.1.8", "versionStartIncluding": "3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7325E47-944C-4D40-B679-28CD6EDD64BF", "versionEndIncluding": "3.2.5", "versionStartIncluding": "3.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "6303BBDF-8425-4BA5-981A-0553CAA88106", "versionEndIncluding": "3.3.2", "versionStartIncluding": "3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Moodle 3.x, students can find out email addresses of other students in the same course. Using search on the Participants page, students could search email addresses of all participants regardless of email visibility. This allows enumerating and guessing emails of other students."}, {"lang": "es", "value": "En las versiones 3.x de Moodle, los estudiantes pueden averiguar las direcciones de correo electr\u00f3nico de otros estudiantes en el mismo curso. Empleando la b\u00fasqueda en la p\u00e1gina Participants, los estudiantes podr\u00edan buscar las direcciones de correo electr\u00f3nico de todos los participantes, independientemente de la visibilidad del correo electr\u00f3nico. Esto permite la enumeraci\u00f3n y la adivinaci\u00f3n de correos electr\u00f3nicos de otros estudiantes."}], "id": "CVE-2017-15110", "lastModified": "2017-12-06T14:27:22.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-20T14:29:00.247", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101909"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=361784"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}