| Topic: | security key web service tokens are displayed when the service is disabled or if the user is not authorized any more |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected) |
| Reported by: | Jerome Mouneyrac |
| Issue no.: | MDL-28670 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28670&sr=1 |
| Workaround: | Do not enable then disable web services |
Description:
Expired web service tokens were being displayed.
| Topic: | Calendar doesn't check $returnurl is valid |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+ (2.0.x, 1.9.x not affected) |
| Reported by: | Dan Marsden |
| Issue no.: | MDL-28720 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28720&sr=1 |
Description:
The Calendar set page was taking a full URL used for redirection without checking if the URL is within the Moodle site.
| Topic: | wiki leaks creator's username in history & deletion UI |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.2+, 2.0 to 2.0.5+ (1.9.x not affected) |
| Reported by: | Sunner Sun |
| Issue no.: | MDL-29191 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=140af2a0f0a4598bf568b9ae182cb81eb583edeb |
Description:
A Wiki creator's username was shown in place of their full name.
| Topic: | Guest user can execute global search by inputting URL directly |
| Severity: | Minor |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Tatsuya Shirai |
| Issue no.: | MDL-19575 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=5eb1cec34f013fdcb559b66bc401f2845ce0bbb7 |
Description:
After logged in to Moodle as a guest, the user could execute a Global search.
| Topic: | mod/forum/user.php exploses user details |
| Severity: | Minor |
| Versions affected: | < 2.1.2, < 2.0.5, < 1.9.14 |
| Reported by: | Rossiani Wijaya |
| Issue no.: | MDL-28615 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&s=MDL-28615 |
Description:
Users' names should only be displayed to other students in the same course or to administrators.
Note: this issue was resolved for Moodle 2.x. A fix for Moodle 1.9.x will be created separately.
(Updated by Michael de Raadt, original publication date: Tuesday, 18 October 2011, 12:23 PM)
| Topic: | XSS through 'section' parameter |
| Severity: | Serious |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28725 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=41017112cff7f5bd7969c72d321320f3090e7c68 |
Description:
Cross site scripting was possible through the 'section' parameter.
| Topic: | Magic quotes hardening of 1.9 |
| Severity: | Serious |
| Versions affected: | < 1.9.14 (2.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-29033 |
| Solution: | upgrade to 1.9.14 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commitdiff;h=bf0ddcb332998e14b2deeb2fff1e7e6849ce65d6 |
Description:
Filtering has been added to various DB functions to avoid unanticipated injection threats.
| Topic: | Potential XSS: editsection.html print values directly from data_submitted() |
| Severity: | Minor |
| Versions affected: | < 1.9.14 (2.x not affected) |
| Reported by: | Aaron Barnes |
| Issue no.: | MDL-28722 |
| Solution: | upgrade to 1.9.14 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=4a2acd8c7e6c869d5fd5aa686e6e0a3f20c97f15 |
Description:
Course section editing form data was being used without being filtered, which could be exploited by an injection attack.
| Topic: | Message refreshing system may cause unlimited queries and DDos attack |
| Severity: | Serious |
| Versions affected: | < 1.9.14 (2.x not affected) |
| Reported by: | Xavier Paz |
| Issue no.: | MDL-29311 |
| Solution: | upgrade to 1.9.14 |
| Changes (1.9): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=97f258fabb3ebfa7acc7c02cb59de92b01710f99 |
Description:
Users could change the wait parameter from message/refresh.php to zero to cause a denial of service attack.
| Topic: | prevent $CFG->usesid because hackers try to exploit it |
| Severity: | Minor |
| Versions affected: | < 2.1.2, < 2.0.5 (1.9.x could also be vulnerable if misconfigured) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-29312 |
| Solution: | upgrade to latest version |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=e1e082a809b9a2d3a408cb4d6faa34fdfcf3165c |
| Workaround: | Don't use cookie-less sessions |
Description:
The $CFG->usesid was added previously to allow simpler access, but this setting is now ignored to remove a potential vulnerability.