| Topic: | Cross-site request forgery in RSS block |
| Severity: | Major |
| Versions affected: | <1.9.11 (2.0.x not vulnerable) |
| Reported by: | Dan Poltawski |
| Issue no.: | MDL-18839 |
| Solution: | Upgrade to 1.9.11 |
| Workaround: | Delete the RSS feeds block |
Description:
This vulnerability could allow an attacker to manipulate RSS feeds used in an RSS block.
| Topic: | Customised phpMyAdmin upgraded to 2.11.11.3 and 3.3.9.2 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream PMASA-2011-2 |
| Issue no.: | MDL-26372 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* in 1.9.x or local/phpmyadmin/* in 2.x |
Description:
http://www.phpmyadmin.net/home_page/security/
| Topic: | Customised phpMyAdmin upgraded to 2.11.11.1 and 3.3.8.1 |
| Severity: | Non critical |
| Versions affected: | all |
| Reported by: | upstream PMASA-2010-8 |
| Issue no.: | MDL-25483 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* in 1.9.x or local/phpmyadmin/* in 2.x |
Description:
http://www.phpmyadmin.net/home_page/news.php
| Topic: | XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 |
| Severity: | Critical |
| Versions affected: | < 1.9.10 |
| Reported and coordinated by: | YUI development team |
| Issue no.: | MDL-24808 |
| Solution: | upgrade to Moodle 1.9.10 or replace the following vulnerable files as described in the linked YUI support document
/lib/yui/uploader/assets/uploader.swf /lib/yui/charts/assets/charts.swf |
Description:
Moodle 1.9.9 or older include YUI library 2.6.0 which is one of the vulnerable versions described in http://yuilibrary.com/support/2.8.2/, this makes all older versions of Moodle 1.9.x vulnerable.
| Topic: | Customised HTML Purifier upgraded to 4.2.0 |
| Severity: | Minor |
| Versions affected: | < 1.9.10 |
| Reported by: | Upstream |
| Issue no.: | MDL-24810 |
| Solution: | Upgrade to latest release or use standard KSES text cleaning engine |
Description:
| Topic: | Multiple phpCAS library vulnerabilities |
| Severity: | Major |
| Versions affected: | < 1.9.10 and < 1.8.14 |
| Reported by: | Multiple reporters http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3692 |
| Issue no.: | MDL-24789 |
| Solution: | Upgrade to latest release or if you do not use CAS authentication delete the /auth/cas/* directory |
Description:
The CAS authentication plugin is using the phpCAS library internally. The latest version contains fixes for multiple security problems.
| Topic: | Customised phpMyAdmin upgraded to 2.11.11 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream |
| Issue no.: | MDL-24555 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* |
Description:
http://www.phpmyadmin.net/home_page/news.php
| Topic: | Potential Cross Site Request Forgery in Quiz reports |
| Severity/Risk: | Major |
| Versions affected: | <1.8.13 and <1.9.9 |
| Reported by: | Petr Skoda |
| Issue no.: | MDL-21688 |
| Solution: | upgrade to 1.8.13 or 1.9.9 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mod/quiz/report/overview/report.php?r1=1.98.2.50&r2=1.98.2.51 |
Description:
Only limited validation was being done for one of the parameters, allowing unauthorised deletion of attempts in some instances.
| Topic: | KSES Security Filter Bypassing vulnerability |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.13 and <1.9.9 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-22042 |
| Solution: | upgrade to 1.8.13 or 1.9.9 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.812.2.114&r2=1.812.2.115 http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.970.2.171&r2=1.970.2.172 |
Description:
Sascha Herzog reported a critical vulnerability in KSES text cleaning filter may allows registered users to launch persistent cross-site scripting (XSS) attacks.
| Topic: | Cross Site Scripting vulnerability in blog/index.php |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.13 and <1.9.9 |
| Reported by: | Emmanuel Bouillon |
| Issue no.: | MDL-22631 |
| Solution: | upgrade to 1.8.13 or 1.9.9 |
| Workaround: | apply patch or disable blogs http://cvs.moodle.org/moodle/blog/lib.php?r1=1.80.2.20&r2=1.80.2.21 http://cvs.moodle.org/moodle/blog/lib.php?r1=1.62.2.9&r2=1.62.2.10 |
Description:
Some parameters were not being properly cleaned on the blog index page, allowing non-persistent cross-site scripting (XSS) attacks.
