Security announcements | Moodle.org

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

Security announcements

Description:	It was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files.
Issue summary:	XXE Vulnerabilities in IMS CC and resource
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	pnig0s@freebuf
Issue no.:	MDL-45417
CVE identifier:	CVE-2014-3543
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417

Discuss this topic (0 replies so far)

Description:	It was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files.
Issue summary:	XXE attack through LTI
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	pnig0s@freebuf
Issue no.:	MDL-45463
CVE identifier:	CVE-2014-3542
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463

Discuss this topic (0 replies so far)

Description:	Serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code.
Issue summary:	Potential PHP Object Injection in Repositories
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Robin Bailey
Issue no.:	MDL-45616
CVE identifier:	CVE-2014-3541
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616

Discuss this topic (0 replies so far)

Description:	Shibboleth was allowing empty session IDs and confusing sessions when more than one instance was associated with an empty ID.
Issue summary:	User taking over other user's session using Shibboleth authentication plugin
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.5.7 and 2.4.11
Reported by:	Colin Campbell
Issue no.:	MDL-45485
CVE identifier:	CVE-2014-3552
Changes (2.5):	http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485

Discuss this topic (0 replies so far)

Description:	There was a lack of filtering in the URL downloader repository that could have been exploited for XSS.
Issue summary:	Reflected Cross site scripting in URL downloader repository
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Yogendra Sharma
Issue no.:	MDL-45332
CVE identifier:	CVE-2014-0218
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332

Discuss this topic (0 replies so far)

Description:	Details of hidden courses were being revealed to unauthenticated users on enrolment pages by URL manipulation.
Issue summary:	Hidden course name and summary visible to guests
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2
Versions fixed:	2.7 and 2.6.3
Reported by:	Marina Glancy
Issue no.:	MDL-45126
CVE identifier:	CVE-2014-0217
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126

Discuss this topic (0 replies so far)

Description:	Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users.
Issue summary:	Files linked in HTML blocks on My home are available to non authenticated users
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Mike Wilson
Issue no.:	MDL-43877
CVE identifier:	CVE-2014-0216
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

Discuss this topic (0 replies so far)

Description:	Some student details were included in assignment marking pages and would have been revealed to screen readers or through code inspection.
Issue summary:	Blind marking reveals identities to screen readers
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Damyon Wiese
Issue no.:	MDL-44750
CVE identifier:	CVE-2014-0215
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750

Discuss this topic (0 replies so far)

Description:	MoodleMobile web service tokens were not expiring.
Issue summary:	Tokens created automatically in login/token.php are valid forever
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Juan Leyva
Issue no.:	MDL-43119
CVE identifier:	CVE-2014-0214
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119

Discuss this topic (0 replies so far)

Description:	Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users.
Issue summary:	Cross-Site Request Forgery
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Gerry Hall
Issue no.:	MDL-44606
CVE identifier:	CVE-2014-0213
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606

Discuss this topic (0 replies so far)