| Topic: | add setConstant() for hardfreeze element |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+ |
| Reported by: | Rossiani Wijaya |
| Issue no.: | MDL-32785 |
|
CVE Identifier: |
CVE-2012-5472 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785 |
Description:
Frozen form elements were open to manipulation when form data was submitted.
| Topic: | User B is able to see and use Dropbox of User A within Dropbox Repository File Picker |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
| Reported by: | Alexander Bias |
| Issue no.: | MDL-29872, MDL-36366 |
|
CVE Identifier: |
CVE-2012-5471 |
|
Workaround: |
Turn off Dropbox repository |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872 |
Description:
Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued.
| Topic: | Information disclosure in yui_combo.php |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+ |
| Reported by: | Mark Baseggio |
| Issue no.: | MDL-35168 |
|
CVE Identifier: |
CVE-2012-4403 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168 |
Description:
The drag-and-drop script was responding to bad requests with information that included the full path to scripts on the server.
| Topic: | A web service token allows the user to run functions from any external service, not just those linked to the external service the token is for |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ |
| Reported by: | Nathan Mares |
| Issue no.: | MDL-34368 |
|
CVE Identifier: |
CVE-2012-4402 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34368 |
Description:
Users with permission to access multiple services were able to use a token from one service to access another.
| Topic: | Course reset not protected by proper capability |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ |
| Reported by: | Rex Lorenzo |
| Issue no.: | MDL-34519 |
|
CVE Identifier: |
CVE-2012-4408 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34519 |
Description:
The course reset link was protected by a correct permission but the reset page itself was being checked for a different permission.
| Topic: | 'publishstate' === 'public' |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ |
| Reported by: | Kyle Decot |
| Issue no.: | MDL-34585 |
|
CVE Identifier: |
CVE-2012-4407 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34585 |
Description:
Files embedded as part of a blog were being delivered without checking the publication state properly.
| Topic: | Permissions problems in topic course format |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+ |
| Reported by: | Alexander Bias |
| Issue no.: | MDL-28207 |
|
CVE Identifier: |
2012-4401 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28207 |
Description:
Users with course editing capabilities, but without permission to show/hide topics and set the current topic were able to complete these actions under certain conditions.
| Topic: | /repository/repository_ajax.php allows you to supply -1 for "maxbytes" and side step moodle file size restrictions |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+ |
| Reported by: | Andrew Davis |
| Issue no.: | MDL-30792 |
|
CVE Identifier: |
CVE-2012-4400 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30792 |
Description:
It was possible for a user to manipulate script parameters to upload a file larger than set limits.
| Topic: | database activity advanced search can be very dangerous (backport of MDL-17327) |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.3+, 2.1 to 2.1.6+, 2.0 to 2.0.9+, 1.9 to 1.9.18+ |
| Reported by: | Séverin Terrier |
| Issue no.: | MDL-32126 |
|
CVE Identifier: |
CVE-2012-3398 |
| Changes (2.2): | http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_22_STABLE&st=commit&s=MDL-32126 |
Description:
Inefficient queries on a database activity with a large number of records could have caused long periods of high CPU load, crippling a system.
| Topic: | Grouping restriction settings not applied correctly when Restrict Access set to greyed-out |
| Severity/Risk: | Minor |
| Versions affected: | 2.3, 2.2 to 2.2.3+, 2.1 to 2.1.6+, 2.0 to 2.0.9+ |
| Reported by: | Luke Tucker |
| Issue no.: | MDL-33466 |
|
CVE Identifier: |
CVE-2012-3397 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-33466 |
Description:
"Restrict access" conditions were incorrectly overriding grouping settings when displaying activities.