| Topic: | /enrol/externallib.php method core_enrol_external .get_enrolled_users() uses undefined $context and $coursecontext's in 3 has_capability() calls |
| Severity: | Major |
| Versions affected: | 2.2 to 2.2.1+ |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-31178 |
|
CVE Identifier: |
CVE-2012-1170 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31178 |
Description:
Capability checks in the external enrolment plugin were not being performed thoroughly enough.
| Topic: | HTML5 apps cannot call Web services functions if an HTTP resource is retrieved from the Moodle installation |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Juan Leyva |
|
Workaround: |
Disable Web services |
| Issue no.: | MDL-30495 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30495 |
Description:
HTML5 apps were being sent cookies which, when sent in later access requests, would cause the Web services to block them.
| Topic: | Adding Tag to an unavailable course makes it visible to students |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Ivo Šmelhaus |
|
Workaround: |
Don't enable block_tags_showcoursetags |
| Issue no.: | MDL-31466 |
|
CVE Identifier: |
CVE-2012-1161 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31466 |
Description:
Courses identifiable by tags were being displayed in a tag search even when the courses were hidden.
| Topic: | Not enrolled users (admins...) are able to subscribe/unsubscribe themselves via mod/forum/index.php |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-31426 |
|
CVE Identifier: |
CVE-2012-1160 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31426 |
Description:
Administrators and managers were able to subscribe to forums in courses they were not involved in without a permission check.
| Topic: | Overview report shows hidden courses |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Mark Nelson |
| Issue no.: | MDL-29892 |
|
CVE Identifier: |
CVE-2012-1159 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29892 |
Description:
Users unable to see hidden courses were able to see them in the overview report.
| Topic: | Gradeboook export allows role that cannot see hidden grades to export all grade and hidden is viewable |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Kathryn Fortin |
| Issue no.: | MDL-29080 |
|
CVE Identifier: |
CVE-2012-1158 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29080 |
Description:
Users unable to see hidden grade items were able to view this information in an export.
| Topic: | 'Full name format' set to 'First name' within 'Site Policies', but breadcrumbs show First + Last Name. |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | John Fitchett |
|
Workaround: |
Use lang file based full-name display |
| Issue no.: | MDL-31463 |
|
CVE Identifier: |
CVE-2012-1169 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31463 |
Description:
When the administrative setting to display users' names was set to first name only, users' full names were still appearing in page breadcrumbs.
| Topic: | authenticated user "view" capability set to "allow" for all repos |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Andrea Bicciolo |
|
Workaround: |
Manually change capability for repositories |
| Issue no.: | MDL-30452 |
|
CVE Identifier: |
CVE-2012-1157 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=246c2cb8e5af71a7d7c605b8fc9f9563e0fb3bc4 |
Description:
Not all repositories are intended for student use, however all repositories were viewable by all users by default. This change will affect new installations only. Existing site admins should review their repository capabilities.
| Topic: | Backup with user files includes users' private files |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Ralf Hilgenstock |
|
Workaround: |
Disable private files |
| Issue no.: | MDL-29248 |
|
CVE Identifier: |
CVE-2012-1156 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29248 |
Description:
Course backups were including users' private files unnecessarily.
| Topic: | core_user_update_users user password is reset if not specified |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Fábio Souto |
|
Workaround: |
Turn off web services |
| Issue no.: | MDL-30878 |
|
CVE Identifier: |
CVE-2012-1168 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30878 |
Description:
A Web service function for updating user profiles was resetting user passwords when they were not supplied with update information.
It's good practice to always use the latest stable release of the version you are using. For example, if you are using 1.9.10, it is very safe and easy to go to any higher 1.9.x, because the stable branches generally don't contain any new features (just fixes). CVS is a very easy way to do this.
For more information and alternative ideas, see the Security Documentation.
Did you know if you register your Moodle site with moodle.org you can receive early email alerts of security issues? To register, just visit Admin > Notifications in your own Moodle site.
Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team is able to resolve it and publish fixes to registered Moodle sites.
If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security
Give it a try! It'll check for kinds of potential security problems that you might have in your configuration.
Courses
Developer credits
Categories