| Topic: | $CFG->forceloginforprofiles option ignored for course profiles |
| Severity: | Major |
| Versions affected: | <2.0.2 (1.9.x not affected) |
| Reported by: | Amr Hourani |
| Issue no.: | MDL-26389 |
| Solution: | Upgrade to latest version |
| Workaround: | Enable $CFG->forcelogin and disable $CFG->opentogoogle (recommended settings for sites with high privacy requirements) |
Description:
$CFG->forceloginforprofiles was ignored for course profiles resulting in search engine indexing and guest user access.
| Topic: | Cross-site scripting vulnerability in tag autocomplete |
| Severity: | Major |
| Versions affected: | <1.9.11 and <2.0.2 |
| Reported by: | gose |
| Issue no.: | MDL-25754 |
| Solution: | Upgrade to latest version |
| Workaround: | Delete /tag/tag_autocomplete.php file |
Description:
Missing tag validation could allow an attacker to conduct a cross-site scripting attack.
| Topic: | Cross-site request forgery in RSS block |
| Severity: | Major |
| Versions affected: | <1.9.11 (2.0.x not vulnerable) |
| Reported by: | Dan Poltawski |
| Issue no.: | MDL-18839 |
| Solution: | Upgrade to 1.9.11 |
| Workaround: | Delete the RSS feeds block |
Description:
This vulnerability could allow an attacker to manipulate RSS feeds used in an RSS block.
| Topic: | Customised phpMyAdmin upgraded to 2.11.11.3 and 3.3.9.2 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream PMASA-2011-2 |
| Issue no.: | MDL-26372 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* in 1.9.x or local/phpmyadmin/* in 2.x |
Description:
http://www.phpmyadmin.net/home_page/security/
| Topic: | Customised phpMyAdmin upgraded to 2.11.11.1 and 3.3.8.1 |
| Severity: | Non critical |
| Versions affected: | all |
| Reported by: | upstream PMASA-2010-8 |
| Issue no.: | MDL-25483 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* in 1.9.x or local/phpmyadmin/* in 2.x |
Description:
http://www.phpmyadmin.net/home_page/news.php
| Topic: | XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 |
| Severity: | Critical |
| Versions affected: | < 1.9.10 |
| Reported and coordinated by: | YUI development team |
| Issue no.: | MDL-24808 |
| Solution: | upgrade to Moodle 1.9.10 or replace the following vulnerable files as described in the linked YUI support document
/lib/yui/uploader/assets/uploader.swf /lib/yui/charts/assets/charts.swf |
Description:
Moodle 1.9.9 or older include YUI library 2.6.0 which is one of the vulnerable versions described in http://yuilibrary.com/support/2.8.2/, this makes all older versions of Moodle 1.9.x vulnerable.
| Topic: | Customised HTML Purifier upgraded to 4.2.0 |
| Severity: | Minor |
| Versions affected: | < 1.9.10 |
| Reported by: | Upstream |
| Issue no.: | MDL-24810 |
| Solution: | Upgrade to latest release or use standard KSES text cleaning engine |
Description:
| Topic: | Multiple phpCAS library vulnerabilities |
| Severity: | Major |
| Versions affected: | < 1.9.10 and < 1.8.14 |
| Reported by: | Multiple reporters http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2795 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3691 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3692 |
| Issue no.: | MDL-24789 |
| Solution: | Upgrade to latest release or if you do not use CAS authentication delete the /auth/cas/* directory |
Description:
The CAS authentication plugin is using the phpCAS library internally. The latest version contains fixes for multiple security problems.
| Topic: | Customised phpMyAdmin upgraded to 2.11.11 |
| Severity: | Major |
| Versions affected: | all |
| Reported by: | upstream |
| Issue no.: | MDL-24555 |
| Solution: | Install latest package from http://moodle.org/mod/data/view.php?d=13&rid=448 or cvs |
| Workaround: | delete admin/mysql/* |
Description:
http://www.phpmyadmin.net/home_page/news.php
| Topic: | Potential Cross Site Request Forgery in Quiz reports |
| Severity/Risk: | Major |
| Versions affected: | <1.8.13 and <1.9.9 |
| Reported by: | Petr Skoda |
| Issue no.: | MDL-21688 |
| Solution: | upgrade to 1.8.13 or 1.9.9 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mod/quiz/report/overview/report.php?r1=1.98.2.50&r2=1.98.2.51 |
Description:
Only limited validation was being done for one of the parameters, allowing unauthorised deletion of attempts in some instances.
