Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Security announcements

Description:	JavaScript in messages was being executed on some pages.
Issue summary:	Cross Site Scripting in Messages
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Panagiotis Petasis
Issue no.:	MDL-41941
CVE identifier:	CVE-2013-4523
Workaround	Disable messages
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941

Diskuter dette emnet (0 svar til nå)

Description:	Some files were being delivered with incorrect, headers meaning they could be cached downstream.
Issue summary:	Incorrect headers emitted for secured resources
Severity/Risk:	Minor
Versions affected:	2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:	2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:	Tony Levi
Issue no.:	MDL-38743, MDL-42686
CVE identifier:	CVE-2013-4522
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743

Diskuter dette emnet (0 svar til nå)

Description:	Links to external blogs were not being adequately cleaned
Issue summary:	XSS in remote blog/rss include
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Ciaran McNally
Issue no.:	MDL-41623
CVE identifier:	CVE-2013-4341
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623

Diskuter dette emnet (0 svar til nå)

Description:	Descriptions of external badges were open to exploitation.
Issue summary:	Unserialize external input in badges/external.php allows object injection
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1
Versions fixed:	2.5.2
Reported by:	Emilio Pinna
Issue no.:	MDL-40924
CVE identifier:	CVE-2013-5674
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924

Diskuter dette emnet (0 svar til nå)

Description:	Null characters were allowed in query strings, which caused sql statements to terminate and fail
Issue summary:	null byte causes error in ms sql drivers - potential sql injection
Severity/Risk:	Serious
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Ryan Giobbi
Issue no.:	MDL-40676
CVE identifier:	CVE-2013-4313
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676

Diskuter dette emnet (0 svar til nå)

Description:	The Amazon S3 repository was not verifying secure hosts
Issue summary:	S3 class uses curl insecurely
Severity/Risk:	Minor
Versions affected:	2.5 to 2.5.1, 2.4 to 2.4.5, 2.3 to 2.3.8, previous unsupported versions
Versions fixed:	2.5.2, 2.4.6 and 2.3.9
Reported by:	Thijs Kinkhorst
Issue no.:	MDL-40615
CVE identifier:	CVE-2012-6087
Workaround:	Disable Amazon S3 repository (default)
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40615

Diskuter dette emnet (0 svar til nå)

Description:	The Feedback module was showing personal information to users without the needed capability
Issue summary:	Missing privilege check in feedback/lib.php
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Francois Gauthier
Issue no.:	MDL-39570
CVE identifier:	CVE-2013-2246
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39570

Diskuter dette emnet (0 svar til nå)

Description:	When impersonating another user using RSS tokens, an error was displayed, but block information relevant to the person being impersonated was shown.
Issue summary:	Rss feed error shows user logged in and blocks on page that shouldn't be there.
Severity/Risk:	Serious
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Dan Marsden
Issue no.:	MDL-37818
CVE identifier:	CVE-2013-2245
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37818

Diskuter dette emnet (0 svar til nå)

Description:	Conditional access rule values for user fields were able to contain unescaped HTML/JS that would be output to users.
Issue summary:	Conditional activities: user field displays as database column name, values not escaped
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4
Versions fixed:	2.5.1, 2.4.5
Reported by:	Jean-Daniel Descoteaux
Issue no.:	MDL-37516
CVE identifier:	CVE-2013-2244
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37516

Diskuter dette emnet (0 svar til nå)

Description:	It was possible to determine answers from ID values in Lesson activity matching questions.
Issue summary:	Matching question in lesson could easily manipulated through view sources
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5 and 2.3.8
Reported by:	Rossiani Wijaya, Ankit Agarwal
Issue no.:	MDL-39546
CVE identifier:	CVE-2013-2243
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39546

Diskuter dette emnet (0 svar til nå)