| Topic: | Recaptcha is still authenticating to old servers on Moodle 1.9 |
| Severity: | Minor |
| Versions affected: | < 1.9.13 (2.x not affected) |
| Reported by: | Ryan Charpentier |
| Issue no.: | MDL-27889 |
| Solution: | upgrade to 1.9.13 |
| Workaround: | manually change URL to "https://www.google.com/recaptcha/api" |
Description:
Moodle is still trying to connect to the old Recaptcha servers. Since Google has purchased Recaptcha, this server has changed.
| Topic: | Guests can add comments to front page activities |
| Severity: | Serious |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Helen Foster |
| Issue no.: | MDL-28503 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | Don't enable comments for front page activities or use a comments block |
Description:
With this ability it was possible for users who were not logged in to post comments.
| Topic: | Course creator role has incorrect default permissions |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Ray Lawrence |
| Issue no.: | MDL-27994 |
| Solution: | Manually alter permissions in older sites to remove rights from course creators |
Description:
The default permission for course creators allowed them to alter course filters, which was an issue for users with mixed roles.
| Topic: | moodle_enrol_external:role_assign() does not obey role assignment restrictions |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-28350 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | avoid using web services |
Description:
Not all roles may be assigned by everybody in all contexts, but this was not being checked.
| Topic: | Continuation link can sometimes link offsite |
| Severity: | Minor |
| Versions affected: | < 1.9.13, < 2.0.4, < 2.1.1 |
| Reported by: | Matt Meisberger |
| Issue no.: | MDL-27464 |
| Solution: | upgrade to latest version |
| Workaround: | apply patch |
Description:
It was possible for error message links to lead offsite
| Topic: | Theme cache folder |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Matthew Davidson |
| Issue no.: | MDL-28147 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | apply Git patch |
Description:
When caching is incorrectly controlled by a theme, there was the potential for writing to a file system's temporary directory.
| Topic: | Cohort enrol plugin capability problems and missing cohort access control |
| Severity: | Minor |
| Versions affected: | < 2.0.4, < 2.1.1 (1.9.x not affected) |
| Reported by: | Petr Škoda |
| Issue no.: |
MDL-28432 |
| Solution: | upgrade to 2.0.4 or 2.1.1 |
| Workaround: | avoid using cohorts |
Description:
In order to securely control the creation and oversight of cohorts, additional capabilities have been introduced.
| Topic: | Ability to generate invalid records in the comments table in the database |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-26854 |
| Solution: | Upgrade to 2.0.3 |
| Workaround: | None - please upgrade as soon as possible |
Description:
This is a significant bug in the comments system which allows an authenticated user to fill the comments table in the database with completely invalid records.
| Topic: | Ability to fill a database with invalid records through ratings |
| Severity: | Major |
| Versions affected: | < 2.0.3 (1.9.x not affected) |
| Reported by: | Sam Hemelryk |
| Issue no.: | MDL-26838 |
| Solution: | Upgrade to the latest version |
| Workaround: | None - please upgrade to the latest version as soon as possible |
Description:
It is possible if logged in as an authenticated user to generate invalid records within the rating table of the database, and if someone was intent on doing destruction they could write a script to spam the database.
| Topic: | Cross Site Scripting in multiple pages |
| Severity: | Major |
| Versions affected: | < 1.9.12 |
| Reported by: | Panagiotis Petasis |
| Issue no.: | MDL-26966 |
| Solution: | Upgrade to the latest version |
Description:
A vulnerability assessment done by the Acunetix Web Scanner revealed possible XSS vulnerabilities in pages of Moodle.