test project » import-test

Hi!

An automated scan by the TUM IT Security team has discovered 28 vulnerabilities in your network (org:ASE).

If you have questions about the procedure or your scan results, please contact

it-sicherheit@tum.de

Please fix the reported issues as soon as you can.

Regards

RBG Systems Group

Report text of Greenbone Security Assistant:

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 6.4 - Missing Secure Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - a66478df-1823-452e-8f8f-eb9db82388d0 - 1.3.6.1.4.1.25623.1.0.902661

summary: The remote HTTP web server / application is missing to set the

'Secure' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik82ckc3TmxKamt3UmpwWFMwb1ZvbXc9PSIsInZhbHVlIjoiRzFKRi9OdkhhYTFwbHZ5ZTJsKy9Bem9KcmFUdmxsenk1QUFSeG5BdGVNWGVJR2NxdTFsbVdyNlZoYjBuVUM4SkF3K3R0Mlk0ek1Xb0c0K0J3TlpkcXRDU1J0NC9GVGFPMllvajduQjVpVzhMMGxxcnRQUmJhdFBHaHJIV3o1UFAiLCJtYWMiOiIzMDY4OTQ2YjZhYjBjZmJhOTIxYjA3MjAwNjk1YWU3NGM5N2UyZjE4MDhkYzBmNjQ3Mzg4ZTdkNjMyMGZkYjY5IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/

Set-Cookie: snipeit_session=MGGqE9fwjHRF7EzjrDTWiDr2yy0klyPX6JyTS6N8; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/; httponly

are missing the "Secure" cookie attribute.

impact:

solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent

over a SSL/TLS connection.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 6.4 - Missing Secure Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - ecd99ac4-5bcf-498e-bc6f-9344aa6d6443 - 1.3.6.1.4.1.25623.1.0.902661

summary: The remote HTTP web server / application is missing to set the

'Secure' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6IjlhaXRyZ3VQOExZaWZFMVlFSGZUdXc9PSIsInZhbHVlIjoiQzVSTm54dU5jS21kQzFKMjkrNE5KQmozU0NBc29FTFprd2luSUF2aUFyQkxFbWpkRVd1VTdGOG9IOHNvN3E3dENUMjVUYUk3NUt3TmhYOGNaT0tGUXVQNHdEZUlSWnBoWEF4Q3QzaENPOWxzYS96TnRxdTJsNFoxeUZNYzgxVVUiLCJtYWMiOiJiY2M0NTY1ZjU1OTBjYzVlZTQ1ZGIwMzY5MDRiNDMwMWU4NWI5YjA0ZDEwODU3NzU0MTFiNmUyZDNiNjEyNDViIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=***replaced***; path=/

Set-Cookie: snipeit_session=BoeqCHFebv9zHbI91rwCuOGBe0as2VGi9rB4WcnC; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=***replaced***; path=/; httponly

are missing the "Secure" cookie attribute.

impact:

solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent

over a SSL/TLS connection.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 6.4 - Missing Secure Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - ee62e447-0959-4d5a-8417-a5466c00a4f8 - 1.3.6.1.4.1.25623.1.0.902661

summary: The remote HTTP web server / application is missing to set the

'Secure' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRJNWl0SzBMQkhHa2lNaVU1MG5BR1E9PSIsInZhbHVlIjoibHFOeEwxVElyZFZXek9DejkrU1lHeTk3eHhJV2UvWG5xM1hzZzBKalhnbE0xbW14V2VSL2M3Qm93amFBUWpOd21MUXNWd3Jiajlmam1LcWppT2I0Z3VEb0NObFJjSHZBS2UvTmRuOWQ5RXU3UW5OdldxZTBLSVpMUmFINU9YMFoiLCJtYWMiOiI4ZTQ4ZTQ5MDZhNGQwOTQwNmJhNTcyYTE1YTNkYzdjMzE4NjJjYzQ3OThkNWNjNmE3MmI4YmY2OTUyZDg2MWU1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/

Set-Cookie: snipeit_session=GM0pUqhWsksS758LI9mNCs1rOCsT5MSJ2dehKUlr; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/; httponly

are missing the "Secure" cookie attribute.

impact:

solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent

over a SSL/TLS connection.

############################################################

# host: vmbhatotia148.in.tum.de, ip: 131.159.89.187, tcp port: 1883

+ 6.4 - MQTT Broker Does Not Require Authentication

+ 2023-05-15T14:34:09Z - 14f38e82-50e7-4303-a6f9-c15e528b8c46 - 1.3.6.1.4.1.25623.1.0.140167

summary: The remote MQTT broker does not require authentication.

problem: Vulnerability was detected according to the Vulnerability Detection Method.

impact:

solution: Mitigation: Enable authentication.

############################################################

# host: traefik.survey.ase.cs.tum.edu, ip: 131.159.89.172, tcp port: 443

+ 6.4 - Missing Secure Cookie Attribute (HTTP)

+ 2023-05-15T11:16:21Z - 058dd816-81ad-4666-b8d1-036bbc87f347 - 1.3.6.1.4.1.25623.1.0.902661

summary: The remote HTTP web server / application is missing to set the

'Secure' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: PHPSESSID=***replaced***; path=/; HttpOnly

are missing the "Secure" cookie attribute.

impact:

solution: Mitigation: Set the 'Secure' cookie attribute for any cookies that are sent

over a SSL/TLS connection.

############################################################

# host: dse.cs.tum.edu, ip: 131.159.89.173, tcp port: 443

+ 6.1 - WordPress Elementor Page Builder Plugin <= 3.5.5 XSS Vulnerability

+ 2023-05-15T11:24:18Z - 26292b1e-e620-49b1-8913-346ab029c68b - 1.3.6.1.4.1.25623.1.0.126057

summary: The WordPress plugin 'Elementor Page Builder' is prone

to a cross-site scripting (XSS) vulnerability.

problem: Installed version: 3.5.5

Fixed version: 3.5.6

Installation

path / port: /wp-content/plugins/elementor

impact: An attacker could do the following: account takeovers,

executing javascript on victim's behalf, SOAP bypass, CORS bypass, Defacement.

solution: VendorFix: Update to version 3.5.6 or later.

############################################################

# host: dse.cs.tum.edu, ip: 131.159.89.173, tcp port: 443

+ 5.5 - WordPress Popup Maker Plugin < 1.16.9 Multiple XSS Vulnerabilities

+ 2023-05-15T11:24:18Z - 2bbd4221-ed4f-4aa2-b421-ce9794867d9b - 1.3.6.1.4.1.25623.1.0.170320

summary: The WordPress plugin 'Popup Maker' is prone to multiple cross-site

scripting (XSS) vulnerabilities.

problem: Installed version: 1.16.4

Fixed version: 1.16.9

Installation

path / port: /wp-content/plugins/popup-maker

impact:

solution: VendorFix: Update to version 1.16.9 or later.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - 5c2bdb62-acc8-4bda-b205-2b80ab865555 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6IlhmQ1YyVkZWRTRqdlA5eURyWU95ZWc9PSIsInZhbHVlIjoicTBxeFA0UHVCakYyMFo0cjl5bVBjWkw5dEFpaG1ZK0gxYTFGWnBvc3R1U2kzYVdHU2JranQvY3NQNkJjYjJ6dUVpRnZ1MlRWd2p2cGUwUDZIMlE1eXJZcEk4UXpKazNkRzFLSWZOVi9sait5SGVBNFlyVWc2WWsvZUVCa3FKSWwiLCJtYWMiOiI2ZmVmOTI2NTEzMTBlNzJiNmY1MjViZGFjMTEzOWQ4ZDdhMzA4ODkzY2QzZjRiMmRlMTk5NDU1YTQ0ZjI4NTA4IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:15 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - 2e6f53d3-b26a-4bd0-8b19-8c0768e50042 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6IkhScFhWbE9scjhvNkhGNy9Eb3dKamc9PSIsInZhbHVlIjoiSTFaRzhiak5yQjlZTE1MU2JidVpsRWJueHAvUlBRbTRmK2RnV2RKMUF3UnhwcFc0YkZLRVNIWWU1QmI0dU1qcHJlWjJiNWlnWHhhVy91VjR5NTBCWSswV1JrZ3hHQitFcXRGcUpuOGxNNzc5RWpnMFNhUE03WVJLeGExZ290WlMiLCJtYWMiOiI1ZDU4MzNjYWQwMDQwYzE0OGEyNzc4ZmY5MTQzZjcyOTA5ZmVhZGIwOWIyZGY0ZTMwNjEyMGE2NzhmNWE2OWY1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:15 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 80

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - a31438d4-24ad-4897-b58d-c4c8d8b40502 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6Im42U1pEQmlKNTRHTVA1MXgzSUdvZ2c9PSIsInZhbHVlIjoiWTQ3VHRhcnR4TE5GNHlWMU9wNkRXc1BYN3JJZFdSczM2REpFZkVrVERJdlpGUjYyMXJzTUZPTDAxSEV4a2dvenJndDY2c0Ntdk5wWWR2U3A4bmhOTlJEK1JHMjZwWHpzZDkvTmlMSW83SXVYWlU2QzVDV1dDTlV6MndqSk1sMTAiLCJtYWMiOiJlZDdkYzEzOTY3ZjlhZTY2MzRjN2FiMmU1NmI4Y2M2NTE3NGIyODJjYjNhYTcxYzdiNzZkMDY1OTkzNmI5MDIxIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:21:11 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - ee973ff2-9ff5-42ac-8875-33d72cae6b9d - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6IjlhaXRyZ3VQOExZaWZFMVlFSGZUdXc9PSIsInZhbHVlIjoiQzVSTm54dU5jS21kQzFKMjkrNE5KQmozU0NBc29FTFprd2luSUF2aUFyQkxFbWpkRVd1VTdGOG9IOHNvN3E3dENUMjVUYUk3NUt3TmhYOGNaT0tGUXVQNHdEZUlSWnBoWEF4Q3QzaENPOWxzYS96TnRxdTJsNFoxeUZNYzgxVVUiLCJtYWMiOiJiY2M0NTY1ZjU1OTBjYzVlZTQ1ZGIwMzY5MDRiNDMwMWU4NWI5YjA0ZDEwODU3NzU0MTFiNmUyZDNiNjEyNDViIiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:14 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - d56fdad6-09a3-4bf6-a719-085e898d0097 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6ImRJNWl0SzBMQkhHa2lNaVU1MG5BR1E9PSIsInZhbHVlIjoibHFOeEwxVElyZFZXek9DejkrU1lHeTk3eHhJV2UvWG5xM1hzZzBKalhnbE0xbW14V2VSL2M3Qm93amFBUWpOd21MUXNWd3Jiajlmam1LcWppT2I0Z3VEb0NObFJjSHZBS2UvTmRuOWQ5RXU3UW5OdldxZTBLSVpMUmFINU9YMFoiLCJtYWMiOiI4ZTQ4ZTQ5MDZhNGQwOTQwNmJhNTcyYTE1YTNkYzdjMzE4NjJjYzQ3OThkNWNjNmE3MmI4YmY2OTUyZDg2MWU1IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: inventory.ase.cit.tum.de, ip: 131.159.89.189, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T14:20:48Z - bd3a2a97-7504-4d2a-9cc1-0fc6887a54e4 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: XSRF-TOKEN=eyJpdiI6Ik82ckc3TmxKamt3UmpwWFMwb1ZvbXc9PSIsInZhbHVlIjoiRzFKRi9OdkhhYTFwbHZ5ZTJsKy9Bem9KcmFUdmxsenk1QUFSeG5BdGVNWGVJR2NxdTFsbVdyNlZoYjBuVUM4SkF3K3R0Mlk0ek1Xb0c0K0J3TlpkcXRDU1J0NC9GVGFPMllvajduQjVpVzhMMGxxcnRQUmJhdFBHaHJIV3o1UFAiLCJtYWMiOiIzMDY4OTQ2YjZhYjBjZmJhOTIxYjA3MjAwNjk1YWU3NGM5N2UyZjE4MDhkYzBmNjQ3Mzg4ZTdkNjMyMGZkYjY5IiwidGFnIjoiIn0%3D; expires=Tue, 23-May-2023 22:23:13 GMT; Max-Age=***replaced***; path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T13:16:25Z - a25737cc-6d7c-48fe-b0a1-ea3d710bb01b - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: MoodleSession=***replaced***; path=/; secure

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Source Control Management (SCM) Files Accessible (HTTP)

+ 2023-05-15T13:16:25Z - 5ce201dc-f82b-4da1-9003-6c885d40e4c5 - 1.3.6.1.4.1.25623.1.0.111084

summary: The script attempts to identify files of a SCM accessible

at the webserver.

problem: The following SCM files/folders were identified:

Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root <root@vmbhatotia124.in.tum.de> 1656435832 +0200 clone: from git://git.moodle.org/moodle.git

1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root <root@vmbhatotia124.in.tum.de> 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE

cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root <root@vmbhatotia124.in.tum.de> 1675437321 +0100 pull: Fast-forward

a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root <root@vmbhatotia124.in.tum.de> 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE

URL: https://moodle.ase.in.tum.de/.git/logs/HEAD

Match: [core]

[remote "origin"]

[branch "MOODLE_311_STABLE"]

[branch "MOODLE_400_STABLE"]

URL: https://moodle.ase.in.tum.de/.git/config

Match: # git ls-files --others --exclude-from=.git/info/exclude

URL: https://moodle.ase.in.tum.de/.git/info/exclude

Match: Unnamed repository; edit this file 'description' to name the repository.

URL: https://moodle.ase.in.tum.de/.git/description

Match: a2b88160d77b122fdd945bb9ed5d82a850a3adb6 branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle

ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle

ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle

20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle

fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle

cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle

91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle

572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle

c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle

6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle

9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle

cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle

928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle

e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle

97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle

54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle

aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle

382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle

0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle

3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle

fa6c77adc74a94ef7e935b985832589a092e4083 not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle

92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle

45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle

ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle

9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle

22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle

940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle

3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle

49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle

e23d81ca404f4ef27e1e10d87b3ea7b9f8dce4a7 not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle

cb6dc699b8ed9d29dcd9cd400fb96647a471e87a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle

0780e87f06eb834786f562316ad9699480bcd24e not-for-merge branch 'master' of git://git.moodle.org/moodle

URL: https://moodle.ase.in.tum.de/.git/FETCH_HEAD

Match: cda2e481342ba0644f665ff8e91342abb009192a

URL: https://moodle.ase.in.tum.de/.git/ORIG_HEAD

impact: Based on the information provided in these files an attacker might

be able to gather additional info about the structure of the system and its applications.

solution: Mitigation: Restrict access to the SCM files for authorized systems only.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Source Control Management (SCM) Files Accessible (HTTP)

+ 2023-05-15T13:16:25Z - 725a474b-c319-487a-9768-0a5871c7b5bc - 1.3.6.1.4.1.25623.1.0.111084

summary: The script attempts to identify files of a SCM accessible

at the webserver.

problem: The following SCM files/folders were identified:

Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root <root@vmbhatotia124.in.tum.de> 1656435832 +0200 clone: from git://git.moodle.org/moodle.git

1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root <root@vmbhatotia124.in.tum.de> 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE

cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root <root@vmbhatotia124.in.tum.de> 1675437321 +0100 pull: Fast-forward

a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root <root@vmbhatotia124.in.tum.de> 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE

URL: https://moodle.ase.cs.tum.edu/.git/logs/HEAD

Match: [core]

[remote "origin"]

[branch "MOODLE_311_STABLE"]

[branch "MOODLE_400_STABLE"]

URL: https://moodle.ase.cs.tum.edu/.git/config

Match: # git ls-files --others --exclude-from=.git/info/exclude

URL: https://moodle.ase.cs.tum.edu/.git/info/exclude

Match: Unnamed repository; edit this file 'description' to name the repository.

URL: https://moodle.ase.cs.tum.edu/.git/description

Match: a2b88160d77b122fdd945bb9ed5d82a850a3adb6 branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle

ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle

ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle

20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle

fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle

cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle

91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle

572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle

c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle

6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle

9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle

cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle

928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle

e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle

97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle

54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle

aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle

382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle

0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle

3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle

fa6c77adc74a94ef7e935b985832589a092e4083 not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle

92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle

45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle

ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle

9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle

22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle

940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle

3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle

49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle

e23d81ca404f4ef27e1e10d87b3ea7b9f8dce4a7 not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle

cb6dc699b8ed9d29dcd9cd400fb96647a471e87a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle

0780e87f06eb834786f562316ad9699480bcd24e not-for-merge branch 'master' of git://git.moodle.org/moodle

URL: https://moodle.ase.cs.tum.edu/.git/FETCH_HEAD

Match: cda2e481342ba0644f665ff8e91342abb009192a

URL: https://moodle.ase.cs.tum.edu/.git/ORIG_HEAD

impact: Based on the information provided in these files an attacker might

be able to gather additional info about the structure of the system and its applications.

solution: Mitigation: Restrict access to the SCM files for authorized systems only.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T13:16:25Z - ac7a41ab-cd3b-4012-a000-7725a8b9ae09 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: MoodleSession=***replaced***; path=/; secure

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T13:16:25Z - cbf152b2-2f4e-430d-8e13-a3872550c7b7 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: MoodleSession=***replaced***; path=/; secure

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Source Control Management (SCM) Files Accessible (HTTP)

+ 2023-05-15T13:16:25Z - 0feaa0fd-e98c-41ae-8d4f-07135389af7d - 1.3.6.1.4.1.25623.1.0.111084

summary: The script attempts to identify files of a SCM accessible

at the webserver.

problem: The following SCM files/folders were identified:

Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root <root@vmbhatotia124.in.tum.de> 1656435832 +0200 clone: from git://git.moodle.org/moodle.git

1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root <root@vmbhatotia124.in.tum.de> 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE

cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root <root@vmbhatotia124.in.tum.de> 1675437321 +0100 pull: Fast-forward

a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root <root@vmbhatotia124.in.tum.de> 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE

URL: https://vmbhatotia124.in.tum.de/.git/logs/HEAD

Match: [core]

[remote "origin"]

[branch "MOODLE_311_STABLE"]

[branch "MOODLE_400_STABLE"]

URL: https://vmbhatotia124.in.tum.de/.git/config

Match: # git ls-files --others --exclude-from=.git/info/exclude

URL: https://vmbhatotia124.in.tum.de/.git/info/exclude

Match: Unnamed repository; edit this file 'description' to name the repository.

URL: https://vmbhatotia124.in.tum.de/.git/description

Match: a2b88160d77b122fdd945bb9ed5d82a850a3adb6 branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle

ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle

ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle

20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle

fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle

cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle

91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle

572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle

c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle

6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle

9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle

cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle

928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle

e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle

97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle

54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle

aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle

382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle

0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle

3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle

fa6c77adc74a94ef7e935b985832589a092e4083 not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle

92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle

45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle

ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle

9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle

22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle

940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle

3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle

49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle

e23d81ca404f4ef27e1e10d87b3ea7b9f8dce4a7 not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle

cb6dc699b8ed9d29dcd9cd400fb96647a471e87a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle

0780e87f06eb834786f562316ad9699480bcd24e not-for-merge branch 'master' of git://git.moodle.org/moodle

URL: https://vmbhatotia124.in.tum.de/.git/FETCH_HEAD

Match: cda2e481342ba0644f665ff8e91342abb009192a

URL: https://vmbhatotia124.in.tum.de/.git/ORIG_HEAD

impact: Based on the information provided in these files an attacker might

be able to gather additional info about the structure of the system and its applications.

solution: Mitigation: Restrict access to the SCM files for authorized systems only.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T13:16:25Z - 01aa0a05-1fea-48f8-a191-eb340bcb35c5 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: MoodleSession=***replaced***; path=/; secure

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: moodle.ase.cs.tum.edu, ip: 131.159.89.183, tcp port: 443

+ 5.0 - Source Control Management (SCM) Files Accessible (HTTP)

+ 2023-05-15T13:16:25Z - 0b115856-96af-4990-8554-07d3b50c6c22 - 1.3.6.1.4.1.25623.1.0.111084

summary: The script attempts to identify files of a SCM accessible

at the webserver.

problem: The following SCM files/folders were identified:

Match: 0000000000000000000000000000000000000000 1f6ab2b67640ce4f5038c100fbd626f9b4954f7a root <root@vmbhatotia124.in.tum.de> 1656435832 +0200 clone: from git://git.moodle.org/moodle.git

1f6ab2b67640ce4f5038c100fbd626f9b4954f7a cda2e481342ba0644f665ff8e91342abb009192a root <root@vmbhatotia124.in.tum.de> 1668180765 +0100 checkout: moving from MOODLE_311_STABLE to MOODLE_400_STABLE

cda2e481342ba0644f665ff8e91342abb009192a a2b88160d77b122fdd945bb9ed5d82a850a3adb6 root <root@vmbhatotia124.in.tum.de> 1675437321 +0100 pull: Fast-forward

a2b88160d77b122fdd945bb9ed5d82a850a3adb6 cb6dc699b8ed9d29dcd9cd400fb96647a471e87a root <root@vmbhatotia124.in.tum.de> 1675437385 +0100 checkout: moving from MOODLE_400_STABLE to origin/MOODLE_401_STABLE

URL: https://vmbhatotia124.cs.tum.edu/.git/logs/HEAD

Match: [core]

[remote "origin"]

[branch "MOODLE_311_STABLE"]

[branch "MOODLE_400_STABLE"]

URL: https://vmbhatotia124.cs.tum.edu/.git/config

Match: # git ls-files --others --exclude-from=.git/info/exclude

URL: https://vmbhatotia124.cs.tum.edu/.git/info/exclude

Match: Unnamed repository; edit this file 'description' to name the repository.

URL: https://vmbhatotia124.cs.tum.edu/.git/description

Match: a2b88160d77b122fdd945bb9ed5d82a850a3adb6 branch 'MOODLE_400_STABLE' of git://git.moodle.org/moodle

ec6ed8e4cfa7babc64039869ccc7fa7869a9dc53 not-for-merge branch 'MOODLE_13_STABLE' of git://git.moodle.org/moodle

ff8ed9e11863df18a2ca571195e8c9b0e660a9bf not-for-merge branch 'MOODLE_14_STABLE' of git://git.moodle.org/moodle

20ea0682124c3117ea04f8d83a4fb84747b30437 not-for-merge branch 'MOODLE_15_STABLE' of git://git.moodle.org/moodle

fb1a72d5c2fc61a4dbb9a213d78c6b75fc0098d6 not-for-merge branch 'MOODLE_16_STABLE' of git://git.moodle.org/moodle

cb6d0894c33e0cf9193f05f7c615b1902b371c75 not-for-merge branch 'MOODLE_17_STABLE' of git://git.moodle.org/moodle

91a49999829e23f08502a646d84eb0333405cc16 not-for-merge branch 'MOODLE_18_STABLE' of git://git.moodle.org/moodle

572729aaa5b23c087f712e4fe4c43fa5d7cc1853 not-for-merge branch 'MOODLE_19_STABLE' of git://git.moodle.org/moodle

c4f6df5a1ac39818b6988890d36896e049b0e99d not-for-merge branch 'MOODLE_20_STABLE' of git://git.moodle.org/moodle

6ccbbe593649ce5d5a47d8046f2e30c739cd2a20 not-for-merge branch 'MOODLE_21_STABLE' of git://git.moodle.org/moodle

9c458edc33577cee5fee343333aa00a7b54fcfdd not-for-merge branch 'MOODLE_22_STABLE' of git://git.moodle.org/moodle

cbb12cf9724a0d7248a9ab81eea51fbb3a1eb59c not-for-merge branch 'MOODLE_23_STABLE' of git://git.moodle.org/moodle

928f14b3cc509b9ad27b3172a8417e2ffe03ce72 not-for-merge branch 'MOODLE_24_STABLE' of git://git.moodle.org/moodle

e4a9d2b9f62391813478f0f048de1ea769c1d565 not-for-merge branch 'MOODLE_25_STABLE' of git://git.moodle.org/moodle

97c956f97073448db95ce87aef04d9740989c645 not-for-merge branch 'MOODLE_26_STABLE' of git://git.moodle.org/moodle

54a393ab62c9ac86b08bc7130a80dd8685ff0adf not-for-merge branch 'MOODLE_27_STABLE' of git://git.moodle.org/moodle

aba54964abec2081ba139ad0ea1a4f5627c24fa7 not-for-merge branch 'MOODLE_28_STABLE' of git://git.moodle.org/moodle

382d80646b7efbcae6f80a1b78ebdad78f5fd24e not-for-merge branch 'MOODLE_29_STABLE' of git://git.moodle.org/moodle

0bd0ee444a07818fc495c95697ea1ec1a6abeefb not-for-merge branch 'MOODLE_30_STABLE' of git://git.moodle.org/moodle

3c33177dd21e3a46e8825b2df3cb3476936b68ee not-for-merge branch 'MOODLE_310_STABLE' of git://git.moodle.org/moodle

fa6c77adc74a94ef7e935b985832589a092e4083 not-for-merge branch 'MOODLE_311_STABLE' of git://git.moodle.org/moodle

92e218fd8adafbe8822dbc0e611b540f71764792 not-for-merge branch 'MOODLE_31_STABLE' of git://git.moodle.org/moodle

45f418c1fb6b133e024cc09b346936e80b125078 not-for-merge branch 'MOODLE_32_STABLE' of git://git.moodle.org/moodle

ae82333cf25219ba627538f7e8de72f0b4028460 not-for-merge branch 'MOODLE_33_STABLE' of git://git.moodle.org/moodle

9650f3f56f74941b1ed03833a9e0f55cc7bb7082 not-for-merge branch 'MOODLE_34_STABLE' of git://git.moodle.org/moodle

22984eaeccf9ccd72572cc4cc51ae9372cefa06d not-for-merge branch 'MOODLE_35_STABLE' of git://git.moodle.org/moodle

940aa17049aa429b03cd39a241f6e90c0b1190b7 not-for-merge branch 'MOODLE_36_STABLE' of git://git.moodle.org/moodle

3517c9c9ad10ee2ca233ef4ed8c2a429798b9dd0 not-for-merge branch 'MOODLE_37_STABLE' of git://git.moodle.org/moodle

49648fdf30aae05b61604a12549436cee8c96436 not-for-merge branch 'MOODLE_38_STABLE' of git://git.moodle.org/moodle

e23d81ca404f4ef27e1e10d87b3ea7b9f8dce4a7 not-for-merge branch 'MOODLE_39_STABLE' of git://git.moodle.org/moodle

cb6dc699b8ed9d29dcd9cd400fb96647a471e87a not-for-merge branch 'MOODLE_401_STABLE' of git://git.moodle.org/moodle

0780e87f06eb834786f562316ad9699480bcd24e not-for-merge branch 'master' of git://git.moodle.org/moodle

URL: https://vmbhatotia124.cs.tum.edu/.git/FETCH_HEAD

Match: cda2e481342ba0644f665ff8e91342abb009192a

URL: https://vmbhatotia124.cs.tum.edu/.git/ORIG_HEAD

impact: Based on the information provided in these files an attacker might

be able to gather additional info about the structure of the system and its applications.

solution: Mitigation: Restrict access to the SCM files for authorized systems only.

############################################################

# host: vmbhatotia13.in.tum.de, ip: 131.159.39.212, tcp port: 443

+ 5.0 - SSL/TLS: Certificate Expired

+ 2023-05-16T01:07:34Z - 227975b4-5ccd-4b7c-881e-b8ca8998c015 - 1.3.6.1.4.1.25623.1.0.103955

summary: The remote server's SSL/TLS certificate has already expired.

problem: The certificate of the remote service expired on 2021-06-24 09:26:43.

Certificate details:

fingerprint (SHA-1) | 172AA3C5CF787696981DEA41DEEA381653EA0E6D

fingerprint (SHA-256) | 6E0420E85973F5A08A04A176296293292043F70E42DD6F6E7DBADF5A33A14BB3

issued by | CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE

public key algorithm | RSA

public key size (bits) | 2048

serial | 2416437138E047784219D399

signature algorithm | sha256WithRSAEncryption

subject | CN=vmbhatotia13.in.tum.de,OU=Fakultaet fuer Informatik,O=Technische Universitaet Muenchen,L=Muenchen,ST=Bayern,C=DE

subject alternative names (SAN) | vmbhatotia13.in.tum.de, vmbhatotia13.informatik.tu-muenchen.de, vmbhatotia13.cs.tum.edu, ios2021tumninja.ase.cs.tum.edu, ios2021tumninja.ase.in.tum.de, ios2021tumninja.ase.informatik.tu-muenchen.de

valid from | 2021-01-07 08:27:15 UTC

valid until | 2021-06-24 09:26:43 UTC

impact:

solution: Mitigation: Replace the SSL/TLS certificate by a new one.

############################################################

# host: vmbhatotia13.in.tum.de, ip: 131.159.39.212, tcp port: 8443

+ 5.0 - SSL/TLS: Certificate Expired

+ 2023-05-16T01:07:34Z - 324b3578-960a-4eca-9412-e5f94d07452f - 1.3.6.1.4.1.25623.1.0.103955

summary: The remote server's SSL/TLS certificate has already expired.

problem: The certificate of the remote service expired on 2021-06-24 09:26:43.

Certificate details:

fingerprint (SHA-1) | 172AA3C5CF787696981DEA41DEEA381653EA0E6D

fingerprint (SHA-256) | 6E0420E85973F5A08A04A176296293292043F70E42DD6F6E7DBADF5A33A14BB3

issued by | CN=DFN-Verein Global Issuing CA,OU=DFN-PKI,O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.,C=DE

public key algorithm | RSA

public key size (bits) | 2048

serial | 2416437138E047784219D399

signature algorithm | sha256WithRSAEncryption

subject | CN=vmbhatotia13.in.tum.de,OU=Fakultaet fuer Informatik,O=Technische Universitaet Muenchen,L=Muenchen,ST=Bayern,C=DE

subject alternative names (SAN) | vmbhatotia13.in.tum.de, vmbhatotia13.informatik.tu-muenchen.de, vmbhatotia13.cs.tum.edu, ios2021tumninja.ase.cs.tum.edu, ios2021tumninja.ase.in.tum.de, ios2021tumninja.ase.informatik.tu-muenchen.de

valid from | 2021-01-07 08:27:15 UTC

valid until | 2021-06-24 09:26:43 UTC

impact:

solution: Mitigation: Replace the SSL/TLS certificate by a new one.

############################################################

# host: bill.dse.in.tum.de, ip: 131.159.102.1, tcp port: 80

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T06:06:18Z - efd03a30-679f-419b-99ec-7c7ad6511171 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: TWISTED_SESSION=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2luZm8iOnsiYW5vbnltb3VzIjp0cnVlfSwiZXhwIjoxNjg0NzM1NTg2fQ.lVixv2QHy-iw2xU8OjEtk9FtOj5Q7gFcdoSaX5FQcKU; Path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: bill.dse.in.tum.de, ip: 131.159.102.1, tcp port: 1810

+ 5.0 - Missing HttpOnly Cookie Attribute (HTTP)

+ 2023-05-15T06:06:18Z - 5e6a0a96-6bf1-4ec9-8d6a-13eb8ce0eb02 - 1.3.6.1.4.1.25623.1.0.105925

summary: The remote HTTP web server / application is missing to set the

'HttpOnly' cookie attribute for one or more sent HTTP cookie.

problem: The cookies:

Set-Cookie: TWISTED_SESSION=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2luZm8iOnsiYW5vbnltb3VzIjp0cnVlfSwiZXhwIjoxNjg0NzM1ODMyfQ.UaaQwLjwgsUkAhDj2LpTIUnS049Vkkhj4-n05Gr3QMo; Path=/

are missing the "HttpOnly" attribute.

impact:

solution: Mitigation: Set the 'HttpOnly' attribute for any session cookie.

############################################################

# host: itg-inventory-dev.ase.cit.tum.de, ip: 131.159.89.188, tcp port: 80

+ 4.8 - Cleartext Transmission of Sensitive Information via HTTP

+ 2023-05-15T14:08:22Z - e0bf1837-a869-47d5-8cdc-d143c74e5b68 - 1.3.6.1.4.1.25623.1.0.108440

summary: The host / application transmits sensitive information (username, passwords) in

cleartext via HTTP.

problem: The following input fields where identified (URL:input name):

http://itg-inventory-dev.ase.cit.tum.de/setup/user:password

impact: An attacker could use this situation to compromise or eavesdrop on the

HTTP communication between the client and the server using a man-in-the-middle attack to get access to

sensitive data like usernames or passwords.

solution: Workaround: Enforce the transmission of sensitive data via an encrypted SSL/TLS connection.

Additionally make sure the host / application is redirecting all users to the secured SSL/TLS connection before

allowing to input sensitive data into the mentioned functions.

############################################################

# host: dse.cs.tum.edu, ip: 131.159.89.173, tcp port: 443

+ 4.8 - WordPress Popup Maker Plugin < 1.16.5 XSS Vulnerability

+ 2023-05-15T11:24:18Z - 879d0789-2a99-414a-838b-e9f117d0f236 - 1.3.6.1.4.1.25623.1.0.170318

summary: The WordPress plugin 'Popup Maker' is prone to a cross-site

scripting (XSS) vulnerability.

problem: Installed version: 1.16.4

Fixed version: 1.16.5

Installation

path / port: /wp-content/plugins/popup-maker

impact:

solution: VendorFix: Update to version 1.16.5 or later.

############################################################

# host: dse.cs.tum.edu, ip: 131.159.89.173, tcp port: 443

+ 3.6 - WordPress Popup Maker Plugin < 1.16.11 XSS Vulnerability

+ 2023-05-15T11:24:18Z - cede042c-2423-40f6-858e-17b45290859f - 1.3.6.1.4.1.25623.1.0.170319

summary: The WordPress plugin 'Popup Maker' is prone to a cross-site

scripting (XSS) vulnerability.

problem: Installed version: 1.16.4

Fixed version: 1.16.11

Installation

path / port: /wp-content/plugins/popup-maker

impact:

solution: VendorFix: Update to version 1.16.11 or later.

[Created via e-mail received from: root@in.tum.de]