Anuncis de seguretat | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Inici Calendari

Security announcements

Description:	Links to external blogs were not being adequately cleaned
Issue summary:	XSS in remote blog/rss include
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Ciaran McNally
Issue no.:	MDL-41623
CVE identifier:	CVE-2013-4341
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623

Debateu este tema (0 respostes fins ara)

Description:	Descriptions of external badges were open to exploitation.
Issue summary:	Unserialize external input in badges/external.php allows object injection
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1
Versions fixed:	2.5.2
Reported by:	Emilio Pinna
Issue no.:	MDL-40924
CVE identifier:	CVE-2013-5674
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924

Debateu este tema (0 respostes fins ara)

Description:	Null characters were allowed in query strings, which caused sql statements to terminate and fail
Issue summary:	null byte causes error in ms sql drivers - potential sql injection
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Ryan Giobbi
Issue no.:	MDL-40676
CVE identifier:	CVE-2013-4313
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676

Debateu este tema (0 respostes fins ara)

Description:	The Amazon S3 repository was not verifying secure hosts
Issue summary:	S3 class uses curl insecurely
Severity/Risk:	Minor
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Thijs Kinkhorst
Issue no.:	MDL-40615
CVE identifier:	CVE-2012-6087
Workaround:	Disable Amazon S3 repository (default)
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615

Debateu este tema (0 respostes fins ara)

Description:	The Feedback module was showing personal information to users without the needed capability
Issue summary:	Missing privilege check in feedback/lib.php
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Francois Gauthier
Issue no.:	MDL-39570
CVE identifier:	CVE-2013-2246
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39570

Debateu este tema (0 respostes fins ara)

Description:	When impersonating another user using RSS tokens, an error was displayed, but block information relevant to the person being impersonated was shown.
Issue summary:	Rss feed error shows user logged in and blocks on page that shouldn't be there.
Severity/Risk:	Serious
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Dan Marsden
Issue no.:	MDL-37818
CVE identifier:	CVE-2013-2245
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37818

Debateu este tema (0 respostes fins ara)

Description:	Conditional access rule values for user fields were able to contain unescaped HTML/JS that would be output to users.
Issue summary:	Conditional activities: user field displays as database column name, values not escaped
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4
Versions fixed:	2.5.1, 2.4.5
Reported by:	Jean-Daniel Descoteaux
Issue no.:	MDL-37516
CVE identifier:	CVE-2013-2244
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37516

Debateu este tema (0 respostes fins ara)

Description:	It was possible to determine answers from ID values in Lesson activity matching questions.
Issue summary:	Matching question in lesson could easily manipulated through view sources
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5 and 2.3.8
Reported by:	Rossiani Wijaya, Ankit Agarwal
Issue no.:	MDL-39546
CVE identifier:	CVE-2013-2243
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39546

Debateu este tema (0 respostes fins ara)

Description:	Users were able to access a daemon-mode Chat activity without the required capability.
Issue summary:	Missing privilege check in mod/chat/gui_sockets/index.php
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Francois Gauthier
Issue no.:	MDL-39628
CVE identifier:	CVE-2013-2242
Workaround:	Use the Chat module without the daemon.
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39628

Debateu este tema (0 respostes fins ara)

Description:	Privacy settings for the IMS-LTI (External tool) module were not able to be changed so personal information was always transferred.
Issue summary:	Privacy settings do not change
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Mawuli Kuivi
Issue no.:	MDL-40308
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40308

Debateu este tema (0 respostes fins ara)