Matangazo ya usalama | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Security announcements

Description:	By tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course.
Issue summary:	unvalidated parameters in mod/wiki/admin.php
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47949
CVE identifier:	CVE-2014-7837
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949

Discuss this topic (0 replies so far)

Description:	Two files in the LTI module lacked a session key check potentially allowing cross-site request forgery.
Issue summary:	CSRF in mod/lti/request_tool.php and mod/lti/instructor_edit_tool_type.php
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47924
CVE identifier:	CVE-2014-7836
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924

Discuss this topic (0 replies so far)

Description:	If web service with file upload function was available, user could upload XSS file to his profile picture area.
Issue summary:	XSS through WS user file upload
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2 and 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Petr Skoda
Issue no.:	MDL-47868
Workaround:	Do not enable "Can upload files" in web services especially to untrusted users
CVE identifier:	CVE-2014-7835
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47868

Discuss this topic (0 replies so far)

Description:	By directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install.
Issue summary:	PHPunit: lib/phpunit/bootstrap.php leaks system info
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Sam Marshall
Issue no.:	MDL-47287
Workaround:	Prevent web access to this file in web server directives
CVE identifier:	CVE-2014-7848
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47287

Discuss this topic (0 replies so far)

Description:	When using the web service function for Forum discussions, group permissions were not checked.
Issue summary:	forum_get_discussions web service misses group permissions check
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5
Versions fixed:	2.8, 2.7.3 and 2.6.6
Reported by:	Petr Skoda
Issue no.:	MDL-45303
Workaround:	Do not enable web service function mod_forum_get_discussions
CVE identifier:	CVE-2014-7834
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303

Discuss this topic (0 replies so far)

Description:	The script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties.
Issue summary:	iplookup is available to unauthenticated guests
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Dan Poltawski
Issue no.:	MDL-47321
CVE identifier:	CVE-2014-7847
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47321

Discuss this topic (0 replies so far)

Description:	Unprivileged users could access the list of available tags in the system.
Issue summary:	Tag autocomplete AJAX page lacks capability check
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Frédéric Massart
Issue no.:	MDL-47965
CVE identifier:	CVE-2014-7846
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47965

Discuss this topic (0 replies so far)

Description:	Group-level entries in Database activity module became visible to users in other groups after being edited by a teacher.
Issue summary:	Group ID of Database record overwritten by 0
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Pamela Verret
Issue no.:	MDL-47697
CVE identifier:	CVE-2014-7833
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47697

Discuss this topic (0 replies so far)

Description:	Capability checks in the LTI module only checked access to the course and not to the activity.
Issue summary:	mod/lti/launch.php lacks access control
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47921
CVE identifier:	CVE-2014-7832
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47921

Discuss this topic (0 replies so far)

Description:	User without capability to view hidden grades could retrieve grades using web services.
Issue summary:	get_grades webservice exposes hidden grades to students
Severity/Risk:	Serious
Versions affected:	2.7 and 2.7.2
Versions fixed:	2.8, 2.7.3
Reported by:	Damyon Wiese
Issue no.:	MDL-47766
Workaround:	Do not enable core_grades_get_grades in web services
CVE identifier:	CVE-2014-7831
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766

Discuss this topic (0 replies so far)