Security Announcements

My ugly mug
MSA-14-0013: Unfiltered data used in Assignment web services
 
Description: Assignment web service functions were not correctly cleaning function parameters allowing alteration of assignment grade related information.
Issue summary: Review mod/assign external functions
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1
Versions fixed: 2.6.2
Reported by: Eloy Lafuente
Issue no.: MDL-43468
CVE identifier: CVE-2014-2572
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468
My ugly mug
MSA-14-0008: Cross site scripting potential in Flowplayer
 
Description: Cross site scripting was possible with Flowplayer
Issue summary: Upgrade flowplayer
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Andrew Nicols, Simon Coggins
Issue no.: MDL-43344
CVE identifier: CVE-2013-7341
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344
My ugly mug
MSA-14-0004: Incorrect filtering in Quiz
 
Description: Question strings were not being filtered correctly possibly allowing cross site scripting.
Issue summary: quiz_question_tostring can cause invalid HTML
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Tim Hunt
Issue nos.: MDL-43690, MDL-43846
CVE identifier: CVE-2014-2571
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690
My ugly mug
MSA-14-0012: Access issue in Badges
 
Description: It was possible for authenticated users to toggle the visibility of other users' badges.
Issue summary: logged user can change badge status (visible field)
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1 and 2.5 to 2.5.4
Versions fixed: 2.6.2 and 2.5.5
Reported by: Adrian Lorenc
Issue no.: MDL-44140
CVE identifier: CVE-2014-0129
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140
My ugly mug
MSA-14-0011: Cross site request forgery potential in IMS enrolments
 
Description: There was inadequate session checking when triggering the import of IMS Enterprise identities.
Issue summary: Cross Site Request Forgery in enrol/imsenterprise/importnow.php
Severity/Risk: Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Tyler William Thomas
Issue no.: MDL-43146
CVE identifier: CVE-2014-0126
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146
My ugly mug
MSA-14-0010: Identity information leak in Alfresco Repository
 
Description: Alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco.
Issue summary: Alfresco Repository - external links make Alfresco vulnerable to impersonation attack
Severity/Risk: Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Ryan Herring
Issue no.: MDL-29409
CVE identifier: CVE-2014-0125
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409
My ugly mug
MSA-14-0009: Identity information leak in Forum and Quiz
 
Description: Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this.
Issue summary: User email addresses shown when setting and capabilities do not allow it
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Maria Torres
Issue no.: MDL-43916
CVE identifier: CVE-2014-0124
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916
My ugly mug
MSA-14-0007: Access issue in Wiki
 
Description: There were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis.
Issue summary: Students able to see others' Individual wiki through the Recent activity block
Severity/Risk: Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Monash University VLE team
Issue nos.: MDL-39990
CVE identifier: CVE-2014-0123
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39990
My ugly mug
MSA-14-0006: Capability issue in Chat
 
Description: Capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately.
Issue summary: Broken access control vulnerability with /mod/chat/chat_ajax.php
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Jun Zhu
Issue nos.: MDL-44082
CVE identifier: CVE-2014-0122
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082
My ugly mug
MSA-14-0005: Access issue in Feedback activity
 
Description: It was possible to start a Feedback activity while it was supposed to be closed.
Issue summary: Feedback Availability dates not honored in complete.php
Severity/Risk: Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed: 2.6.2, 2.5.5 and 2.4.9
Reported by: Tomasz Muras
Issue no.: MDL-43656
CVE identifier: CVE-2014-0127
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656