Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Startseite Kalender

Security announcements

Description:	Users were able to access a daemon-mode Chat activity without the required capability.
Issue summary:	Missing privilege check in mod/chat/gui_sockets/index.php
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Francois Gauthier
Issue no.:	MDL-39628
CVE identifier:	CVE-2013-2242
Workaround:	Use the Chat module without the daemon.
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39628

Thema diskutieren (0 Antworten)

Description:	Privacy settings for the IMS-LTI (External tool) module were not able to be changed so personal information was always transferred.
Issue summary:	Privacy settings do not change
Severity/Risk:	Minor
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Mawuli Kuivi
Issue no.:	MDL-40308
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40308

Thema diskutieren (0 Antworten)

Description:	Flash files distributed with the YUI library may have allowed for cross-site scripting attacks.
Issue summary:	YUI swf files suffer a XSS vulnerability
Severity/Risk:	Serious
Versions affected:	2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:	2.5.1, 2.4.5, 2.3.8 and 2.2.11
Reported by:	Andrew Nicols
Issue no.:	MDL-39678
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39678

Thema diskutieren (0 Antworten)

Description:	Form elements named using a specific naming scheme were not being filtered correctly
Issue summary:	Elements named foo[i] are not cleaned properly
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Dan Poltawski
Issue no.:	MDL-38885
CVE identifier:	CVE-2013-2083
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

Thema diskutieren (0 Antworten)

Description:	There was no check of permissions for viewing comments on blog posts.
Issue summary:	Blog comment validation should verify that the user can view a post.
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Dan Poltawski
Issue no.:	MDL-37245
CVE identifier:	CVE-2013-2082
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245

Thema diskutieren (0 Antworten)

Description:	When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen.
Issue summary:	Moodle send site information to a hub even though it's unchecked
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:	2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37822
CVE identifier:	CVE-2013-2081
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822

Thema diskutieren (0 Antworten)

Description:	The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades.
Issue summary:	The method for figuring out showtotalsifcontainhidden on the overview report is flawed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Andrew Davis
Issue no.:	MDL-37475
CVE identifier:	CVE-2013-2080
Workaround:	Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden items
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475

Thema diskutieren (0 Antworten)

Description:	The assignment module was not checking capabilities for users downloading all assignments as a zip.
Issue summary:	Students can download assignments submitted by other students
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:	2.5, 2.4.4 and 2.3.7
Reported by:	Phillip Franks
Issue no.:	MDL-38443
CVE identifier:	CVE-2013-2079
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443

Thema diskutieren (0 Antworten)

Description:	Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories
Issue summary:	Site-wide WebDAV repository instances options are accessible
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-37852
CVE identifier:	CVE-2013-1836
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852

Thema diskutieren (0 Antworten)

Description:	Users able to use "login as" were able to see the personal repository content of the user they were impersonating
Issue summary:	Admin users logged in as another user have access to the content of their external repositories
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Andrew Nicols
Issue no.:	MDL-36426
CVE identifier:	CVE-2013-1835
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426

Thema diskutieren (0 Antworten)