Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

ראשי לוח-שנה

Security announcements

Description:	The word list for temporary password generation was short meaning the pool of possible passwords was not big enough.
Issue summary:	generate_password() is insecure and in use
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Aaron Barnes
Issue no.:	MDL-47050
Workaround:	Enable password policy
CVE identifier:	CVE-2014-7845
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Last search string in Feedback module was not escaped in the search input field.
Issue summary:	XSS through $searchcourse in mod/feedback/mapcourse.php
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47865
Workaround:	Disable feedback module or remove mod/feedback:mapcourse capability from users
CVE identifier:	CVE-2014-7830
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Without forcing encoding, it was possible that UTF7 characters could be used to force cross-site scripts to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages).
Issue summary:	Some ajax scripts and hand crafted pages do not send proper encoding header
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47966
CVE identifier:	-
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47966

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Users who had not yet posted the required answer in a Q&A forum in order to access past posts were able to see the name of the last person who had posted.
Issue summary:	Other authors are visible in /mod/forum/view.php before student has posted their own answer.
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions
Versions fixed:	2.7.2, 2.6.5 and 2.5.8
Reported by:	Amanda Doughty
Issue no.:	MDL-46619
CVE identifier:	CVE-2014-3617
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46619

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	A flaw in the third-party CAS library, utilised by Moodle, has been found, which could potentially allow unauthorised access and privilege escalation.
Issue summary:	Upgrade phpCAS to 1.3.3 or greater - security vulnerabilities
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions
Versions fixed:	2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not possible. CAS users with Moodle 2.5 or earlier are encouraged to upgrade to a more recent release.)
Reported by:	Eric Merrill
Issue no.:	MDL-46766
CVE identifier:	CVE-2014-4172
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Fields in rubrics were not being correctly filtered.
Issue summary:	XSS on the (qualification, rating) field by rubric/advanced grading
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Javier E. García Prada
Issue no.:	MDL-46223
CVE identifier:	CVE-2014-3551
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Error messages generated by scheduled tasks were being presented to admins without correct filtering.
Issue summary:	XSS in scheduled tasks success/error message
Severity/Risk:	Serious
Versions affected:	2.7
Versions fixed:	2.7.1
Reported by:	Skylar Kelty
Issue no.:	MDL-46227
CVE identifier:	CVE-2014-3550
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Log entries of failed login attempts were not filtered correctly.
Issue summary:	XSS in 'failed login' logs
Severity/Risk:	Serious
Versions affected:	2.7
Versions fixed:	2.7.1
Reported by:	Skylar Kelty
Issue no.:	MDL-46201
CVE identifier:	CVE-2014-3549
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	Content of exception dialogues presented from AJAX calls was not being escaped before being presented to users.
Issue summary:	Exception dialogs do not escape the content
Severity/Risk:	Minor
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Frédéric Massart
Issue no.:	MDL-45471
CVE identifier:	CVE-2014-3548
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)

Description:	The details of badges from external sources were not being filtered.
Issue summary:	XSS vulnerabilities with external badges
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed:	2.7.1, 2.6.4 and 2.5.7
Reported by:	Frédéric Massart
Issue no.:	MDL-46042
CVE identifier:	CVE-2014-3547
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042

תצוגה מלאה של הדיון והתגובות (0 תגובות עד כה)