Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Security announcements

Description:	It was possible to inject code into Calculated questions that would be executed on the server.
Issue summary:	Remote code execution in quiz calculated question
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Frédéric Massart
Issue no.:	MDL-46148
CVE identifier:	CVE-2014-3545
Workaround:	Disable calculated question types.
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148

Discuss this topic (0 replies so far)

Description:	Filtering of the Skype profile field was not removing potentially harmful code.
Issue summary:	Persistent XSS Found
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Osanda Malith Jayathissa
Issue no.:	MDL-45683
CVE identifier:	CVE-2014-3544
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683

Discuss this topic (0 replies so far)

Description:	It was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files.
Issue summary:	XXE Vulnerabilities in IMS CC and resource
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	pnig0s@freebuf
Issue no.:	MDL-45417
CVE identifier:	CVE-2014-3543
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417

Discuss this topic (0 replies so far)

Description:	It was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files.
Issue summary:	XXE attack through LTI
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	pnig0s@freebuf
Issue no.:	MDL-45463
CVE identifier:	CVE-2014-3542
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463

Discuss this topic (0 replies so far)

Description:	Serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code.
Issue summary:	Potential PHP Object Injection in Repositories
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Robin Bailey
Issue no.:	MDL-45616
CVE identifier:	CVE-2014-3541
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616

Discuss this topic (0 replies so far)

Description:	Shibboleth was allowing empty session IDs and confusing sessions when more than one instance was associated with an empty ID.
Issue summary:	User taking over other user's session using Shibboleth authentication plugin
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.5.7 and 2.4.11
Reported by:	Colin Campbell
Issue no.:	MDL-45485
CVE identifier:	CVE-2014-3552
Changes (2.5):	http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485

Discuss this topic (0 replies so far)

Description:	There was a lack of filtering in the URL downloader repository that could have been exploited for XSS.
Issue summary:	Reflected Cross site scripting in URL downloader repository
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Yogendra Sharma
Issue no.:	MDL-45332
CVE identifier:	CVE-2014-0218
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332

Discuss this topic (0 replies so far)

Description:	Details of hidden courses were being revealed to unauthenticated users on enrolment pages by URL manipulation.
Issue summary:	Hidden course name and summary visible to guests
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2
Versions fixed:	2.7 and 2.6.3
Reported by:	Marina Glancy
Issue no.:	MDL-45126
CVE identifier:	CVE-2014-0217
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126

Discuss this topic (0 replies so far)

Description:	Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users.
Issue summary:	Files linked in HTML blocks on My home are available to non authenticated users
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Mike Wilson
Issue no.:	MDL-43877
CVE identifier:	CVE-2014-0216
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

Discuss this topic (0 replies so far)

Description:	Some student details were included in assignment marking pages and would have been revealed to screen readers or through code inspection.
Issue summary:	Blind marking reveals identities to screen readers
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Damyon Wiese
Issue no.:	MDL-44750
CVE identifier:	CVE-2014-0215
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750

Discuss this topic (0 replies so far)