| Topic: | customised PhpMyAdmin upgraded to 2.11.9.4 |
| Severity: | Critical - exploit publicly available |
| Versions affected: | all |
| Reported by: | upstream - PMASA-2008-10 |
| Issue no.: | MDL-17576 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 |
Description:
see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-10| Topic: | customised PhpMyAdmin upgraded to 2.11.9.3 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream - PMASA-2008-9 |
| Issue no.: | MDL-17097 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 |
Description:
see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-9| Topic: | customised HTML Purifier upgraded to 2.1.5 |
| Severity: | Minor |
| Versions affected: | 1.9.0, 1.9.1, 1.9.2 |
| Reported by: | upstream |
| Issue no.: | MDL-16667 |
| Solution: | upgrade to latest release or use standard KSES text cleaning engine |
Description:
see http://htmlpurifier.org/| Topic: | SQL injection in tags code |
| Severity: | High |
| Versions affected: | 1.9.0, 1.9.1, 1.9.2 |
| Reported by: | D P |
| Issue no.: | MDL-16585 |
| Solution: | update to latest release |
Description:
SQL injection problem was reported in tag related code. Please update your site or disable tags feature.| Topic: | Overriding of frozen values in Moodle forms |
| Severity: | Minor |
| Versions affected: | < 1.8.7, < 1.9.3 |
| Reported by: | Ashley Holman |
| Issue no.: | MDL-16839 |
| Solution: | update to latest releases |
Description:
Anshley Holman reported that it is possible to side step user profile locking mechanism. The cause of this is in our quickforms integration, unfortunately it can not be fixed without potential regressions. We have decided to work around this problem by using setConstant() together with hardFreeze(). Please update your code in a similar way if required. The problem will be fully resolved in 2.0.Description:
The messaging settings page was exposed to a CSRF vulnerability because it wasn't protected by the sesskey mechanism.Description:
Wiki page names were not sanitised on output, allowing for potential cross site scripting (XSS) issues.| Topic: | design deficiency combined with incorrect use of format_string() allowing XSS |
| Severity: | Major |
| Versions affected: | < 1.6.8, < 1.7.6, < 1.8.7, < 1.9.3 |
| Reported by: | Lars Vogdt |
| Issue no.: | MDL-15823 |
| Solution: | Update to latest releases or patch format_string() function 1.6.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.581.4.12&r2=1.581.4.13 1.7.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.674.2.35&r2=1.674.2.36 1.8.x http://cvs.moodle.org/moodle/lib/weblib.php?view=log&pathrev=MOODLE_18_STABLE 1.9.x http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.103&r2=1.970.2.104 |
Description:
Lars Vogdt reported a Cross Site Scripting (XSS) problem in one script, during the evaluation we have realised that several other places might be affected too. The problem was caused by combination of incorrect use of format_string() and previous design of this function. We have decided to prevent this and any similar problems in future by adding more sanitisation into format_string().| Topic: | quiz/questions capabilities lack some risk flags in access.php files |
| Severity: | Minor |
| Versions affected: | < 1.7.6, < 1.8.7, < 1.9.3 |
| Reported by: | internal code review |
| Issue no.: | MDL-15819 |
| Solution: | upgrade to 1.7.6, 1.8.7, 1.9.3 or any recent nightly |
Description:
We have discovered during code review that some quiz and questions related capabilities lack proper definition of associated risks. Administrators should update sites or at least review the changes in risk definitions in all quiz and question related capabilities.| Topic: | customised PhpMyAdmin upgraded to 2.11.9.2 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream - PMASA-2008-8 |
| Issue no.: | MDL-16623 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 |
Description:
see http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-8