| Topic: | Gradeboook export allows role that cannot see hidden grades to export all grade and hidden is viewable |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+ |
| Reported by: | Kathryn Fortin |
| Issue no.: | MDL-29080 |
|
CVE Identifier: |
CVE-2012-1158 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29080 |
Description:
Users unable to see hidden grade items were able to view this information in an export.
| Topic: | 'Full name format' set to 'First name' within 'Site Policies', but breadcrumbs show First + Last Name. |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | John Fitchett |
|
Workaround: |
Use lang file based full-name display |
| Issue no.: | MDL-31463 |
|
CVE Identifier: |
CVE-2012-1169 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31463 |
Description:
When the administrative setting to display users' names was set to first name only, users' full names were still appearing in page breadcrumbs.
| Topic: | authenticated user "view" capability set to "allow" for all repos |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Andrea Bicciolo |
|
Workaround: |
Manually change capability for repositories |
| Issue no.: | MDL-30452 |
|
CVE Identifier: |
CVE-2012-1157 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=246c2cb8e5af71a7d7c605b8fc9f9563e0fb3bc4 |
Description:
Not all repositories are intended for student use, however all repositories were viewable by all users by default. This change will affect new installations only. Existing site admins should review their repository capabilities.
| Topic: | Backup with user files includes users' private files |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Ralf Hilgenstock |
|
Workaround: |
Disable private files |
| Issue no.: | MDL-29248 |
|
CVE Identifier: |
CVE-2012-1156 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29248 |
Description:
Course backups were including users' private files unnecessarily.
| Topic: | core_user_update_users user password is reset if not specified |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+ |
| Reported by: | Fábio Souto |
|
Workaround: |
Turn off web services |
| Issue no.: | MDL-30878 |
|
CVE Identifier: |
CVE-2012-1168 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30878 |
Description:
A Web service function for updating user profiles was resetting user passwords when they were not supplied with update information.
| Topic: | database activity module entries exporting does not respect separate groups |
| Severity: | Minor |
| Versions affected: | 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+, 1.9 to 1.9.16+ |
| Reported by: | Frédéric Hoogstoel |
|
Workaround: |
Disable database content export for students |
| Issue no.: | MDL-25185 |
|
CVE Identifier: |
CVE-2012-1155 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-25185 |
Description:
The export function of the database activity module was exporting all entries, including those from groups the user is a not member of.
| Topic: | Moodle form element types are not applied to some 'repeated' elements |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+ (earlier versions unaffected) |
| Reported by: | Ruslan Kabalin |
| Issue no.: | MDL-30560 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48 |
Description:
Some repeated form elements were not being validated properly.
| Topic: | iPad Autofill Functionality reveals users password on Moodle create groups page |
| Severity: | Serious |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected) |
| Reported by: | Mike Wilson |
| Issue no.: | MDL-29917 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29917 |
Description:
Safari was revealing the user's saved password in a non-password field.
| Topic: | Anonymous frontpage forums call generates sesskey value |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.3+, 2.0 to 2.0.6+ (2.2, 1.9 not affected) |
| Reported by: | Stephen Overall |
| Workaround: | Do not use an anonymous forum on the front page |
| Issue no.: | MDL-27334 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 |
Description:
It was possible to access a page that would generate sesskey values for an unauthenticated user.
| Topic: | Teacher can assign role in self-enrolment for his course as manager even if assign role is disabled |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+ (earlier versions unaffected) |
| Reported by: | Ibrahim Awad |
| Workaround: | Disable self-enrolment |
| Issue no.: | MDL-29469 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 |
Description:
Under specific circumstances, teachers were able to self-enrol themselves at a higher level.