Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Security announcements

Description:	By manipulating form elements it was possible to assign a note to a different user during editing
Issue summary:	Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (1.9 onwards)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Jérôme Mouneyrac
Issue no.:	MDL-37411
CVE identifier:	CVE-2013-1834
Workaround:	Disable notes
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411

Diskuter dette emnet (0 svar til nå)

Description:	Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server
Issue summary:	Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-34284
CVE identifier:	CVE-2012-3363
Workaround:	Disable Web services
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34284

Diskuter dette emnet (0 svar til nå)

Description:	It was possible to upload files with filenames containing HTML and JavaScript
Issue summary:	Code injection (XSS) possible in File Picker
Severity/Risk:	Serious
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Frédéric Massart
Issue no.:	MDL-37507
CVE identifier:	CVE-2013-1833
Workaround:	Avoid the filesystem repository on Linux file systems and the Google Docs/Drive repository
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507

Diskuter dette emnet (0 svar til nå)

Description:	The password for a WebDav repository was not hidden on the repository configuration form
Issue summary:	WebDav repository password field is plain text allowing admin to see password
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	John Holmes
Issue no.:	MDL-37681
CVE identifier:	CVE-2013-1832
Workaround:	Avoid WebDav repositories requiring personal passwords
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681

Diskuter dette emnet (0 svar til nå)

Description:	Exception messages were revealing server file system information
Issue summary:	Server system path revealed through exception messages
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Mark Nielsen
Issue no.:	MDL-36901
CVE identifier:	CVE-2013-1831
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901

Diskuter dette emnet (0 svar til nå)

Description:	Course profiles were accessible without logging in as a real user
Issue summary:	Course profiles open to google even when forceloginforprofiles is enabled
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed:	2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported by:	Helen Foster
Issue no.:	MDL-37481
CVE identifier:	CVE-2013-1830
Workaround:	Leave autologinguests and opentogoogle settings disabled (default)
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481

Diskuter dette emnet (0 svar til nå)

Description:	Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions.
Issue summary:	Student should not be able to see the subscription which they cant manage
Severity/Risk:	Minor
Versions affected:	2.4 to 2.4.1
Versions fixed:	2.4.2 and 2.4.3
Reported by:	Ankit Agarwal
Issue no.:	MDL-37338
CVE identifier:	CVE-2013-1829
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338

Diskuter dette emnet (0 svar til nå)

Description:	Students were able to delete course level calendar subscriptions created by teachers.
Issue summary:	Student user able to Remove imported calendar from Manage Subscriptions
Severity/Risk:	Minor
Versions affected:	2.4
Reported by:	David O'Brien
Issue no.:	MDL-37106
CVE identifier:	CVE-2012-6106
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37106

Diskuter dette emnet (0 svar til nå)

Description:	Blog posts were still accessible via the blog RSS feed, even after blogging was disabled globally.
Issue summary:	Blog posts still available via RSS even after the blogging is disabled
Severity/Risk:	Minor
Versions affected:	2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:	David Mudrak
Issue no.:	MDL-37467
CVE identifier:	CVE-2012-6105
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37467

Diskuter dette emnet (0 svar til nå)

Description:	Blog posts that were hidden from guest users in the Web interface were being included in the related RSS feed.
Issue summary:	Guest users can access RSS feed for site level blogs
Severity/Risk:	Minor
Versions affected:	2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:	Charles Fulton
Issue no.:	MDL-36620
CVE identifier:	CVE-2012-6104
Workaround:	Disable blogging
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36620

Diskuter dette emnet (0 svar til nå)