Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Trang chủ Lịch

Security announcements

Description:	Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users.
Issue summary:	Files linked in HTML blocks on My home are available to non authenticated users
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Mike Wilson
Issue no.:	MDL-43877
CVE identifier:	CVE-2014-0216
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Some student details were included in assignment marking pages and would have been revealed to screen readers or through code inspection.
Issue summary:	Blind marking reveals identities to screen readers
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Damyon Wiese
Issue no.:	MDL-44750
CVE identifier:	CVE-2014-0215
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750

Thảo luận về chủ đề này (0 phúc đáp)

Description:	MoodleMobile web service tokens were not expiring.
Issue summary:	Tokens created automatically in login/token.php are valid forever
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Juan Leyva
Issue no.:	MDL-43119
CVE identifier:	CVE-2014-0214
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users.
Issue summary:	Cross-Site Request Forgery
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions
Versions fixed:	2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:	Gerry Hall
Issue no.:	MDL-44606
CVE identifier:	CVE-2014-0213
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Assignment web service functions were not correctly cleaning function parameters allowing alteration of assignment grade related information.
Issue summary:	Review mod/assign external functions
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1
Versions fixed:	2.6.2
Reported by:	Eloy Lafuente
Issue no.:	MDL-43468
CVE identifier:	CVE-2014-2572
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468

Thảo luận về chủ đề này (0 phúc đáp)

Description:	It was possible for authenticated users to toggle the visibility of other users' badges.
Issue summary:	logged user can change badge status (visible field)
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1 and 2.5 to 2.5.4
Versions fixed:	2.6.2 and 2.5.5
Reported by:	Adrian Lorenc
Issue no.:	MDL-44140
CVE identifier:	CVE-2014-0129
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140

Thảo luận về chủ đề này (0 phúc đáp)

Description:	There was inadequate session checking when triggering the import of IMS Enterprise identities.
Issue summary:	Cross Site Request Forgery in enrol/imsenterprise/importnow.php
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Tyler William Thomas
Issue no.:	MDL-43146
CVE identifier:	CVE-2014-0126
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco.
Issue summary:	Alfresco Repository - external links make Alfresco vulnerable to impersonation attack
Severity/Risk:	Serious
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Ryan Herring
Issue no.:	MDL-29409
CVE identifier:	CVE-2014-0125
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this.
Issue summary:	User email addresses shown when setting and capabilities do not allow it
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Maria Torres
Issue no.:	MDL-43916
CVE identifier:	CVE-2014-0124
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916

Thảo luận về chủ đề này (0 phúc đáp)

Description:	Cross site scripting was possible with Flowplayer
Issue summary:	Upgrade flowplayer
Severity/Risk:	Minor
Versions affected:	2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions
Versions fixed:	2.6.2, 2.5.5 and 2.4.9
Reported by:	Andrew Nicols, Simon Coggins
Issue no.:	MDL-43344
CVE identifier:	CVE-2013-7341
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344

Thảo luận về chủ đề này (0 phúc đáp)