Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Security announcements

Description:	It was possible to start a Feedback activity while it was supposed to be closed.
Issue summary:	Feedback Availability dates not honored in complete.php
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Tomasz Muras
Issue no.:	MDL-43656
CVE identifier:	CVE-2014-0127
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656

Discuss this topic (0 replies so far)

Description:	Question strings were not being filtered correctly possibly allowing cross site scripting.
Issue summary:	quiz_question_tostring can cause invalid HTML
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Tim Hunt
Issue nos.:	MDL-43690, MDL-43846
CVE identifier:	CVE-2014-2571
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690

Discuss this topic (0 replies so far)

Description:	Custom profile fields and categories were open to deletion without proper session checking.
Issue summary:	Two Cross-site Request Forgery(CSRF) vulnerabilities found in /user/profile/index.php
Severity/Risk:	Serious
Versions affected:	2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions
Versions fixed:	2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:	Jun Zhu
Issue no.:	MDL-42883
CVE identifier:	CVE-2014-0010
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883

Discuss this topic (0 replies so far)

Description:	Users were able to log in as a user who in a is not in the same group without the permission to see all groups.
Issue summary:	Users with loginas permission and access all groups prohibited can login as user not in their group by direct url
Severity/Risk:	Minor
Versions affected:	2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and earlier unsupported versions
Versions fixed:	2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:	Itamar Tzadok
Issue no.:	MDL-42643
CVE identifier:	CVE-2014-0009
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643

Discuss this topic (0 replies so far)

Description:	Some password changes on admin pages were being recorded and shown to administrators in the config log report.
Issue summary:	Config Changes Report reveals passwords as plain text
Severity/Risk:	Minor
Versions affected:	2.6, 2.5 to 2.5.4, 2.4 to 2.4.7 and earlier unsupported versions
Versions fixed:	2.6.1, 2.5.4 and 2.4.8
Reported by:	Andrew Steele
Issue no.:	MDL-36721
CVE identifier:	CVE-2014-0008
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721

Discuss this topic (0 replies so far)

Description:	Flash files distributed with the YUI library may have allowed for cross-site scripting attacks. This is additional to MSA-13-0025.
Issue summary:	YUI2 security vulnerability
Severity/Risk:	Serious
Versions affected:	2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.3.10
Reported by:	Petr Škoda
Issue no.:	MDL-42780
CVE identifier:	CVE-2013-6780
Workaround	Remove all SWF files under the lib/yui directory.
Changes (2.3):	http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_23_STABLE&st=commit&s=MDL-42780

Discuss this topic (0 replies so far)

Description:	JavaScript in question answers was being executed on the Quiz Results page.
Issue summary:	XSS on view quiz results page
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Michael Hess
Issue no.:	MDL-41820
CVE identifier:	CVE-2013-4525
Workaround	Disable text-based question types.
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820

Discuss this topic (0 replies so far)

Description:	The file system repository was allowing access to files beyond the Moodle file area.
Issue summary:	File System repository gives read access to the whole file system
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Frédéric Massart
Issue no.:	MDL-41807
CVE identifier:	CVE-2013-4524
Workaround	Do not enable File System repository (default)
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807

Discuss this topic (0 replies so far)

Description:	JavaScript in messages was being executed on some pages.
Issue summary:	Cross Site Scripting in Messages
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Panagiotis Petasis
Issue no.:	MDL-41941
CVE identifier:	CVE-2013-4523
Workaround	Disable messages
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941

Discuss this topic (0 replies so far)

Description:	Some files were being delivered with incorrect, headers meaning they could be cached downstream.
Issue summary:	Incorrect headers emitted for secured resources
Severity/Risk:	Minor
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Tony Levi
Issue no.:	MDL-38743, MDL-42686
CVE identifier:	CVE-2013-4522
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743

Discuss this topic (0 replies so far)