| Topic: | Anonymous frontpage forums call generates sesskey value |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.3+, 2.0 to 2.0.6+ (2.2, 1.9 not affected) |
| Reported by: | Stephen Overall |
| Workaround: | Do not use an anonymous forum on the front page |
| Issue no.: | MDL-27334 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 |
Description:
It was possible to access a page that would generate sesskey values for an unauthenticated user.
| Topic: | Teacher can assign role in self-enrolment for his course as manager even if assign role is disabled |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+ (earlier versions unaffected) |
| Reported by: | Ibrahim Awad |
| Workaround: | Disable self-enrolment |
| Issue no.: | MDL-29469 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 |
Description:
Under specific circumstances, teachers were able to self-enrol themselves at a higher level.
| Topic: | WS tokens & user->deleted status are out of sync |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected) |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-28126 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126 |
Description:
A user deleted on the server was able to access a site while they continued to use a token.
| Topic: | Header injection in PHPMailer library |
| Severity: | Serious |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-30575 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9 |
Description:
It was possible to inject additional information into email headers, such as additional addresses.
| Topic: | No validation performed on email address setting |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | John Ehringer |
| Issue no.: | MDL-13572 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 |
Description:
Additional validation is now performed at various stages. As well as ensuring emails are sent to valid addresses, this also prevents potential attacks.
| Topic: | rc4encrypt function uses hardcoded key |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Rajesh Taneja |
| Workaround | Manually change encryption key |
| Issue no.: | MDL-28948 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28948 |
Description:
Encryption and decryption of cookies and other values now use a key generated at install, rather than a fixed key.
| Topic: | New setting: CFG->forceloginforprofileimages |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-29844 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 |
Description:
This config variable allows sites to prevent unauthenticated access to users' profile images.
| Topic: | Auto completion not disabled for password field in login form |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Andrea Bicciolo |
| Issue no.: | MDL-30336 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30336 |
Description:
An administration setting has been added that attempts to block browsers remembering users' passwords.
| Topic: | Forum's user.php exposes user details in 1.9.x |
| Severity: | Minor |
| Versions affected: | 1.9 to 1.9.15+ (later versions not affected) |
| Reported by: | Michael de Raadt |
| Issue no.: | MDL-30012 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-30012 |
Description:
Users' names were being revealed to users without appropriate access.
| Topic: | Recaptchalib.php improvements for https users |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | James Snell |
| Workaround: | Avoid using recaptcha |
| Issue no.: | MDL-27364 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27364 |
Description:
Recaptcha images were not being forced to be transmitted via SSL and some browsers were giving the option to hide insecure content when security was mixed, leaving captcha images missing.