Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Trang chủ Lịch

Security announcements

Description:	If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area
Issue summary:	Guests can exploit atto draft to store content
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.2 and 2.8 to 2.8.8
Versions fixed:	2.9.3 and 2.8.9
Reported by:	Frédéric Massart
Issue no.:	MDL-51000
Workaround:	Disable guest access until the fix is applied
CVE identifier:	CVE-2015-5332
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Insufficient settings check when messaging another user opens spam possibility
Issue summary:	Users who are not in contact list still can send messages though it is blocked in preferences
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2
Versions fixed:	2.9.3
Reported by:	Pavel Sokolov
Issue no.:	MDL-50426
CVE identifier:	CVE-2015-5331
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description
Issue summary:	XSS in grouping description
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Marina Glancy
Issue no.:	MDL-50709
CVE identifier:	CVE-2015-5269
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709

Thảo luận về chủ đề này (0 phúc đáp)

Description:	When viewing ratings the group access was not properly checked allowing users from other groups to view ratings
Issue summary:	Rating component does not check separate groups
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Juan Leyva
Issue no.:	MDL-50173
CVE identifier:	CVE-2015-5268
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Password recovery token can be guessed because of php randomisation limitations
Issue summary:	Vulnerability in password recovery mechanism
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Vincent Herbulot (@us3r777)
Issue no.:	MDL-50860
CVE identifier:	CVE-2015-5267
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860

Thảo luận về chủ đề này (0 phúc đáp)

Description:	On large installations, when sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes
Issue summary:	Meta course sync enroling suspended students as managers and causing large database growth
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Brian Winstead
Issue no.:	MDL-50744
CVE identifier:	CVE-2015-5266
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Users can delete files uploaded by other users in wiki without capability to manage files
Issue summary:	Disable free access to the file manager in the wiki via the text editor.
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	John Provasnik
Issue no.:	MDL-48371
CVE identifier:	CVE-2015-5265
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Group access is not properly checked when posting to "all participants" in forum
Issue summary:	Teacher without accessallgroups can still post to "all participants" and groups they're not members of
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.7.10
Reported by:	David Scotson
Issue no.:	MDL-50576
CVE identifier:	CVE-2015-5272
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Completed and graded lesson activity was not protected against making new attempt to answer some questions
Issue summary:	Students can re-attempt answering questions in the lesson
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Eric Eakin
Issue no.:	MDL-50516
CVE identifier:	CVE-2015-5264
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Penetration test discovered possible Javascript injection in SCORM module
Issue summary:	Inadequate JavaScript Handling in SCORM
Severity/Risk:	Minor
Versions affected:	2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed:	2.9.1, 2.8.7 and 2.7.9
Reported by:	Martin Greenaway
Issue no.:	MDL-50614
CVE identifier:	CVE-2015-3275
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614

Thảo luận về chủ đề này (0 phúc đáp)