| Topic: | XSS bug in blog/index.php in IE |
| Severity/Risk: | Serious |
| Versions affected: | 1.9 to 1.9.17+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-31745 |
|
CVE Identifier: |
CVE-2012-2362 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8 |
Description:
Parameters sent to the Blog module were not sufficiently filtered. This allowed the potential for cross-site scripting in IE.
| Topic: | XSS in /admin/webservice/service.php |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Dan Poltawski |
| Workaround: | Avoid Web services |
| Issue no.: | MDL-31694 |
|
CVE Identifier: |
CVE-2012-2361 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694 |
Description:
The name parameter, sent to the Web service script service.php, was not being filtered correctly.
| Topic: | Injection and XSS vulnerability in wiki through insufficient validation |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-32018 |
|
CVE Identifier: |
CVE-2012-2360 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018 |
Description:
It was possible to inject unfiltered HTML into a wiki page title.
| Topic: | Non-editor teacher can exceed teacher permissions: example, backup:userinfo |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Jozas Nhial |
| Issue no.: | MDL-32030 |
|
CVE Identifier: |
CVE-2012-2359 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f |
Description:
Non-editing teachers were able to redefine their capabilities to achieve actions they would not normally be able to achieve.
| Topic: | Students can edit database entries in read only mode |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ |
| Reported by: | Amanda Doughty |
| Issue no.: | MDL-31811 |
|
CVE Identifier: |
CVE-2012-2358 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811 |
Description:
Students were able to edit pre-existing Database activity entries after the activity had entered a read-only period.
| Topic: | CAS Multi-Authentication Does Not Use HTTPS Login |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Chris Follin |
| Workaround: | Avoid CAS authentication |
| Issue no.: | MDL-32492 |
|
CVE Identifier: |
CVE-2012-2357 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf |
Description:
A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles.
| Topic: | Various problems with permissions checks in the question bank |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Tim Hunt |
| Issue no.: | MDL-32239 |
|
CVE Identifier: |
CVE-2012-2356 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239 |
Description:
Capabilities were not being correctly checked when working in the question bank. Question authorship was not being checked. Users were shown UI elements when they did not have permission to use them. User permissions were not correctly checked when saving a question.
| Topic: | When you add a question to the quiz, it does not check the question:use... capability |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Tim Hunt |
| Issue no.: | MDL-32240 |
|
CVE Identifier: |
CVE-2012-2355 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240 |
Description:
Capabilities were not being correctly checked when adding questions to a quiz.
| Topic: | "Recent conversations" allows anyone to see anyone else's messages |
| Severity/Risk: | Serious |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Juan Aburto |
| Issue no.: | MDL-31834 |
|
CVE Identifier: |
CVE-2012-2354 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec |
Description:
By manipulating URL parameters, users were able to see others' messages
| Topic: | Data protection issue / Information disclosure by "Settings" -> "Users" -> "Enrolled users" |
| Severity/Risk: | Minor |
| Versions affected: | 2.2 to 2.2.2+, 2.1 to 2.1.5+ |
| Reported by: | Andreas Grupp |
| Issue no.: | MDL-31923 |
|
CVE Identifier: |
CVE-2012-2353 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923 |
Description:
Teachers without appropriate permissions were able see user access information.