| Topic: | CAS Multi-Authentication Does Not Use HTTPS Login |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Chris Follin |
| Workaround: | Avoid CAS authentication |
| Issue no.: | MDL-32492 |
|
CVE Identifier: |
CVE-2012-2357 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf |
Description:
A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles.
| Topic: | Various problems with permissions checks in the question bank |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Tim Hunt |
| Issue no.: | MDL-32239 |
|
CVE Identifier: |
CVE-2012-2356 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239 |
Description:
Capabilities were not being correctly checked when working in the question bank. Question authorship was not being checked. Users were shown UI elements when they did not have permission to use them. User permissions were not correctly checked when saving a question.
| Topic: | When you add a question to the quiz, it does not check the question:use... capability |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Tim Hunt |
| Issue no.: | MDL-32240 |
|
CVE Identifier: |
CVE-2012-2355 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240 |
Description:
Capabilities were not being correctly checked when adding questions to a quiz.
| Topic: | "Recent conversations" allows anyone to see anyone else's messages |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Juan Aburto |
| Issue no.: | MDL-31834 |
|
CVE Identifier: |
CVE-2012-2354 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec |
Description:
By manipulating URL parameters, users were able to see others' messages
| Topic: | Data protection issue / Information disclosure by "Settings" -> "Users" -> "Enrolled users" |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Andreas Grupp |
| Issue no.: | MDL-31923 |
|
CVE Identifier: |
CVE-2012-2353 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923 |
Description:
Teachers without appropriate permissions were able see user access information.
| Topic: | /enrol/externallib.php method core_enrol_external .get_enrolled_users() uses undefined $context and $coursecontext's in 3 has_capability() calls |
| Severity: | Major |
| Versions affected: | 2.2 to 2.2.1+ |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-31178 |
|
CVE Identifier: |
CVE-2012-1170 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31178 |
Description:
Capability checks in the external enrolment plugin were not being performed thoroughly enough.
| Topic: | HTML5 apps cannot call Web services functions if an HTTP resource is retrieved from the Moodle installation |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Juan Leyva |
|
Workaround: |
Disable Web services |
| Issue no.: | MDL-30495 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30495 |
Description:
HTML5 apps were being sent cookies which, when sent in later access requests, would cause the Web services to block them.
| Topic: | Adding Tag to an unavailable course makes it visible to students |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Ivo Šmelhaus |
|
Workaround: |
Don't enable block_tags_showcoursetags |
| Issue no.: | MDL-31466 |
|
CVE Identifier: |
CVE-2012-1161 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31466 |
Description:
Courses identifiable by tags were being displayed in a tag search even when the courses were hidden.
| Topic: | Not enrolled users (admins...) are able to subscribe/unsubscribe themselves via mod/forum/index.php |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-31426 |
|
CVE Identifier: |
CVE-2012-1160 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31426 |
Description:
Administrators and managers were able to subscribe to forums in courses they were not involved in without a permission check.
| Topic: | Overview report shows hidden courses |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Mark Nelson |
| Issue no.: | MDL-29892 |
|
CVE Identifier: |
CVE-2012-1159 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29892 |
Description:
Users unable to see hidden courses were able to see them in the overview report.