Security Announcements

My ugly mug
MSA-14-0019: Reflected XSS in URL downloader repository
 
Description: There was a lack of filtering in the URL downloader repository that could have been exploited for XSS.
Issue summary: Reflected Cross site scripting in URL downloader repository
Severity/Risk: Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by: Yogendra Sharma
Issue no.: MDL-45332
CVE identifier: CVE-2014-0218
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332
My ugly mug
MSA-14-0018: Information leak in courses
 
Description: Details of hidden courses were being revealed to unauthenticated users on enrolment pages by URL manipulation.
Issue summary: Hidden course name and summary visible to guests
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.2
Versions fixed: 2.7 and 2.6.3
Reported by: Marina Glancy
Issue no.: MDL-45126
CVE identifier: CVE-2014-0217
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126
My ugly mug
MSA-14-0017: File access issue in HTML block
 
Description: Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users.
Issue summary: Files linked in HTML blocks on My home are available to non authenticated users
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by: Mike Wilson
Issue no.: MDL-43877
CVE identifier: CVE-2014-0216
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877
My ugly mug
MSA-14-0016: Anonymous student identity revealed in assignment
 
Description:  Some student details were included in assignment marking pages and would have been revealed to screen readers or through code inspection.
Issue summary: Blind marking reveals identities to screen readers
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by: Damyon Wiese
Issue no.: MDL-44750
CVE identifier: CVE-2014-0215
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750
My ugly mug
MSA-14-0015: Web service token expiry issue for MoodleMobile
 
Description: MoodleMobile web service tokens were not expiring.
Issue summary: Tokens created automatically in login/token.php are valid forever
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by: Juan Leyva
Issue no.: MDL-43119
CVE identifier: CVE-2014-0214
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119
My ugly mug
MSA-14-0014: Cross-site request forgery possible in Assignment
 
Description: Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users.
Issue summary: Cross-Site Request Forgery
Severity/Risk: Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by: Gerry Hall
Issue no.: MDL-44606
CVE identifier: CVE-2014-0213
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606
My ugly mug
MSA-14-0013: Unfiltered data used in Assignment web services
 
Description: Assignment web service functions were not correctly cleaning function parameters allowing alteration of assignment grade related information.
Issue summary: Review mod/assign external functions
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1
Versions fixed: 2.6.2
Reported by: Eloy Lafuente
Issue no.: MDL-43468
CVE identifier: CVE-2014-2572
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468
My ugly mug
MSA-14-0008: Cross site scripting potential in Flowplayer
 
Description: Cross site scripting was possible with Flowplayer
Issue summary: Upgrade flowplayer
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Andrew Nicols, Simon Coggins
Issue no.: MDL-43344
CVE identifier: CVE-2013-7341
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344
My ugly mug
MSA-14-0004: Incorrect filtering in Quiz
 
Description: Question strings were not being filtered correctly possibly allowing cross site scripting.
Issue summary: quiz_question_tostring can cause invalid HTML
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Tim Hunt
Issue nos.: MDL-43690, MDL-43846
CVE identifier: CVE-2014-2571
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690
My ugly mug
MSA-14-0012: Access issue in Badges
 
Description: It was possible for authenticated users to toggle the visibility of other users' badges.
Issue summary: logged user can change badge status (visible field)
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1 and 2.5 to 2.5.4
Versions fixed: 2.6.2 and 2.5.5
Reported by: Adrian Lorenc
Issue no.: MDL-44140
CVE identifier: CVE-2014-0129
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140