Anuncis de seguretat | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Inici Calendari

Security announcements

Description:	Flash files distributed with the YUI library may have allowed for cross-site scripting attacks.
Issue summary:	YUI swf files suffer a XSS vulnerability
Severity/Risk:	Serious
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Andrew Nicols
Issue no.:	MDL-39678
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

Debateu este tema (0 respostes fins ara)

Description:	Form elements named using a specific naming scheme were not being filtered correctly
Issue summary:	Elements named foo[i] are not cleaned properly
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Dan Poltawski
Issue no.:	MDL-38885
CVE identifier:	CVE-2013-2083
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

Debateu este tema (0 respostes fins ara)

Description:	There was no check of permissions for viewing comments on blog posts.
Issue summary:	Blog comment validation should verify that the user can view a post.
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Dan Poltawski
Issue no.:	MDL-37245
CVE identifier:	CVE-2013-2082
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

Debateu este tema (0 respostes fins ara)

Description:	When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen.
Issue summary:	Moodle send site information to a hub even though it's unchecked
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37822
CVE identifier:	CVE-2013-2081
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

Debateu este tema (0 respostes fins ara)

Description:	The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades.
Issue summary:	The method for figuring out showtotalsifcontainhidden on the overview report is flawed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Andrew Davis
Issue no.:	MDL-37475
CVE identifier:	CVE-2013-2080
Workaround:	Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden items
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

Debateu este tema (0 respostes fins ara)

Description:	The assignment module was not checking capabilities for users downloading all assignments as a zip.
Issue summary:	Students can download assignments submitted by other students
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Phillip Franks
Issue no.:	MDL-38443
CVE identifier:	CVE-2013-2079
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

Debateu este tema (0 respostes fins ara)

Description:	Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories
Issue summary:	Site-wide WebDAV repository instances options are accessible
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-37852
CVE identifier:	CVE-2013-1836
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852

Debateu este tema (0 respostes fins ara)

Description:	Users able to use "login as" were able to see the personal repository content of the user they were impersonating
Issue summary:	Admin users logged in as another user have access to the content of their external repositories
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Andrew Nicols
Issue no.:	MDL-36426
CVE identifier:	CVE-2013-1835
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426

Debateu este tema (0 respostes fins ara)

Description:	By manipulating form elements it was possible to assign a note to a different user during editing
Issue summary:	Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (1.9 onwards)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37411
CVE identifier:	CVE-2013-1834
Workaround:	Disable notes
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411

Debateu este tema (0 respostes fins ara)

Description:	Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server
Issue summary:	Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-34284
CVE identifier:	CVE-2012-3363
Workaround:	Disable Web services
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

Debateu este tema (0 respostes fins ara)