Security announcements

MSA-14-0045: XSS file upload possible through web service

 
Picture of Marina Glancy
MSA-14-0045: XSS file upload possible through web service
 
Description: If web service with file upload function was available, user could upload XSS file to his profile picture area.
Issue summary: XSS through WS user file upload
Severity/Risk: Serious
Versions affected: 2.7 to 2.7.2 and 2.6 to 2.6.5
Versions fixed: 2.8, 2.7.3 and 2.6.6
Reported by: Petr Skoda
Issue no.: MDL-47868
Workaround: Do not enable "Can upload files" in web services especially to untrusted users
CVE identifier: CVE-2014-7835
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868