| Topic: | Incorrect handling of openssl_verify() return code |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5, < 1.9.14 |
| Reported by: | David Mudrak |
| Issue no.: | MDL-29148 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=54941685e3e86ec085641dcb7ebb1f96f06735b2 |
| Workaround: | Disable MNET |
Description:
Moodle was not handling these SSL return codes correctly and was vulnerable to remote attacks bypassing validation.
| Topic: | $mform->setConstant() does not work as expected |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5, < 1.9.14 |
| Reported by: | David Mudrak |
| Issue no.: | MDL-23872 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=f1f70bd4dde6cd1ea4bdb8ab28fa3d36a53b89d8 |
Description:
Form values that are set as constants were able to be altered by users when the form was submitted
| Topic: | Box.net repository has security flaws |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Alex Willen |
| Issue no.: | MDL-27289 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=3deff6c9d2bb4ab3144b3ca7b93d6a2ef6a87af2 |
| Workaround: | Disable the Box.net repository |
Description:
The Box.net plugin was created before Box.net released an OAuth-like authentication, which requires a user to enter their username and password in moodle site.
| Topic: | Server files shows all categories and courses even if a user don't have access to them |
| Severity: | Minor |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Ralf Hilgenstock |
| Issue no.: | MDL-27586 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=f6b07c4da54a9db24723beb147e8a19a3d487e00 |
Description:
In server files, the category and course areas were being shown to users who do not have permission to access them.
| Topic: | XSS in Wiki comments |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28726 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=a459fd90625ae44d7b3ac10b65da2dc631a418e7 |
Description:
The result of wiki parsers was not cleaned, which could be discovered and exploited especially when combined with CSRF.
| Topic: | CSRF in several places |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28724 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=48346fb11f8ced06a05c0618b02a3a925b34ec59 |
Description:
This vulnerability allowed cross site reference forgery within links in the Wiki.
| Topic: | Flat file enrollments has various sql injection vulnerabilities |
| Severity: | Serious |
| Versions affected: | < 1.9.13 (2.x not affected) |
| Reported by: | Matt Meisberger |
| Issue no.: | MDL-28360 |
| Solution: | upgrade to 1.9.13 |
| Workaround: | escape quotes in user upload CSV files |
Description:
When uploading a CSV files with fields containing quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption.
| Topic: | SQL injection vulnerability in user upload |
| Severity: | Serious |
| Versions affected: | < 1.9.13 (2.x not affected) |
| Reported by: | Matt Meisberger |
| Issue no.: | MDL-28197 |
| Solution: | upgrade to 1.9.13 |
| Workaround: | escape quotes in user upload CSV files |
Description:
When uploading a CSV file with group names that contain quotes, this could throw off SQL processing. This is only exploitable by admins, but could accidentally lead to DB corruption.
| Topic: | Recaptcha is still authenticating to old servers on Moodle 1.9 |
| Severity: | Minor |
| Versions affected: | < 1.9.13 (2.x not affected) |
| Reported by: | Ryan Charpentier |
| Issue no.: | MDL-27889 |
| Solution: | upgrade to 1.9.13 |
| Workaround: | manually change URL to "https://www.google.com/recaptcha/api" |
Description:
Moodle is still trying to connect to the old Recaptcha servers. Since Google has purchased Recaptcha, this server has changed.
| Topic: | Guests can add comments to front page activities |
| Severity: | Serious |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Helen Foster |
| Issue no.: | MDL-28503 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | Don't enable comments for front page activities or use a comments block |
Description:
With this ability it was possible for users who were not logged in to post comments.