| Topic: | Calendar New Entry still shows and works for roles preventing calendar entry |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to 1.9.17+ |
| Reported by: | Martin Huntley |
| Issue no.: | MDL-18335 |
|
CVE Identifier: |
CVE-2012-2367 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335 |
Description:
Users without appropriate permissions were able to access the new calendar entry page and create a calendar entry.
| Topic: | It's possible for any user to overwrite site wide database presets |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Dan Poltawski |
| Issue no.: | MDL-31763 |
|
CVE Identifier: |
CVE-2012-2366 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763 |
Description:
Users were able to overwrite site-wide Database activity presets created by other users.
| Topic: | XSS in /cohort/edit.php (POST parameter: idnumber) |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Dan Poltawski |
| Issue no.: | MDL-31691 |
|
CVE Identifier: |
CVE-2012-2365 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691 |
Description:
The idnumber field, an arbitrary unique identifier for a category, was able to be entered without being filtered.
| Topic: | Content-Type is TEXT/HTML for zip Download instead of application/x-zip-compressed or forced download |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Asaf Ohaion |
| Workaround: | Avoid "download all" feature in Assignment |
| Issue no.: | MDL-31558 |
|
CVE Identifier: |
CVE-2012-2364 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20 |
Description:
An incorrect mimetype was being reported for zipped assignment submissions, causing some browsers to render the response. The fix for this issue also prevents incorrect use of file sending functions by third-party modules.
| Topic: | Stored SQL Injection in calendar |
| Severity/Risk: | Serious |
| Versions affected: | 1.9 to 1.9.17+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-31746 |
|
CVE Identifier: |
CVE-2012-2363 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-31746 |
Description:
It was possible to include unfiltered information when adding a calendar event that was stored in the database.
| Topic: | XSS bug in blog/index.php in IE |
| Severity/Risk: | Serious |
| Versions affected: | 1.9 to 1.9.17+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-31745 |
|
CVE Identifier: |
CVE-2012-2362 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8 |
Description:
Parameters sent to the Blog module were not sufficiently filtered. This allowed the potential for cross-site scripting in IE.
| Topic: | XSS in /admin/webservice/service.php |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Dan Poltawski |
| Workaround: | Avoid Web services |
| Issue no.: | MDL-31694 |
|
CVE Identifier: |
CVE-2012-2361 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694 |
Description:
The name parameter, sent to the Web service script service.php, was not being filtered correctly.
| Topic: | Injection and XSS vulnerability in wiki through insufficient validation |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-32018 |
|
CVE Identifier: |
CVE-2012-2360 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018 |
Description:
It was possible to inject unfiltered HTML into a wiki page title.
| Topic: | Non-editor teacher can exceed teacher permissions: example, backup:userinfo |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Jozas Nhial |
| Issue no.: | MDL-32030 |
|
CVE Identifier: |
CVE-2012-2359 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f |
Description:
Non-editing teachers were able to redefine their capabilities to achieve actions they would not normally be able to achieve.
| Topic: | Students can edit database entries in read only mode |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Amanda Doughty |
| Issue no.: | MDL-31811 |
|
CVE Identifier: |
CVE-2012-2358 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811 |
Description:
Students were able to edit pre-existing Database activity entries after the activity had entered a read-only period.