Description: | Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server. |
Issue summary: |
moodle1 backup converter path not properly validated |
Severity/Risk: | Serious |
Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
Reported by: | Dan Poltawski |
Issue no.: | MDL-36977 |
CVE identifier: |
CVE-2012-6099 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977 |
Security announcements | Moodle.org
Security announcements
MSA-13-0002: Capability issue with Outcome editing
Description: | Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome. |
Issue summary: |
Teachers can set Outcomes to be Standard when re-editing |
Severity/Risk: | Minor |
Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ 1.9 to 1.9.19 |
Reported by: | Elena Ivanov |
Issue no.: | MDL-27619 |
CVE identifier: |
CVE-2012-6098 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619 |
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE
Description: | A security issue was reported by TinyMCE. This fix has been applied to Moodle. |
Issue summary: |
import tinymce spellchecker 2.0.6.1 |
Severity/Risk: | Serious |
Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
Reported by: | Petr Škoda |
Issue no.: | MDL-37283 |
CVE identifier: |
CVE-2012-6112 |
Workaround: |
Disable spellchecker plugin |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37283 |
MSA-12-0063: Information leak in Check Permissions page
Topic: | Check Permissions page displays entire user base without moodle/role:manage capability |
Severity/Risk: | Minor |
Versions affected: | 2.3 to 2.3.2+ |
Reported by: | Jody Steele |
Issue no.: | MDL-35381 |
CVE Identifier: |
CVE-2012-5481 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381 |
Description:
The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.
MSA-12-0062: Information leak in Database activity module
Topic: | Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries |
Severity/Risk: | Minor |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
Reported by: | Tabitha Roder |
Issue no.: | MDL-35558 |
CVE Identifier: |
CVE-2012-5480 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558 |
Description:
The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search.
MSA-12-0061: Remote code execution through Portfolio API
Topic: | Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE). |
Severity/Risk: | Serious |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
Reported by: | Cristobal Leiva |
Issue no.: | MDL-33791 |
CVE Identifier: |
CVE-2012-5479 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346 |
Description:
It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user.
MSA-12-0060: Cross-site scripting vulnerability in YUI2
Topic: | yui2 swf vulnerability |
Severity/Risk: | Serious |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+ |
Reported by: | Petr Škoda, Jenny Donnelly |
Issue no.: | MDL-36346 |
CVE Identifier: |
CVE-2012-5475 |
Workaround: |
Delete YUI SWF files |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346 |
Description:
A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files.
MSA-12-0059: Information leak in Database activity module
Topic: | Members of seperate groups can see Database activity entries for other groups |
Severity/Risk: | Minor |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
Reported by: | Richard Meyer |
Issue no.: | MDL-34448 |
CVE Identifier: |
CVE-2012-5473 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448 |
Description:
Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search.
MSA-12-0058: Possible form data manipulation issue
Topic: | add setConstant() for hardfreeze element |
Severity/Risk: | Minor |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+ |
Reported by: | Rossiani Wijaya |
Issue no.: | MDL-32785 |
CVE Identifier: |
CVE-2012-5472 |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785 |
Description:
Frozen form elements were open to manipulation when form data was submitted.
MSA-12-0057: Access issue through repository
Topic: | User B is able to see and use Dropbox of User A within Dropbox Repository File Picker |
Severity/Risk: | Serious |
Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
Reported by: | Alexander Bias |
Issue no.: | MDL-29872, MDL-36366 |
CVE Identifier: |
CVE-2012-5471 |
Workaround: |
Turn off Dropbox repository |
Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872 |
Description:
Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued.