Home page logo
/

oss-sec logo oss-sec mailing list archives

Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 25 Nov 2013 08:49:06 +0800

The following security notifications are now public after a delayed release.

*Please note that the MSA security numbers reported earlier were incorrect and out of sequence. These should be corrected.*

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-13-0036 (not MSA-13-25): Incorrect headers sent for secured resources

Description:       Some files were being delivered with incorrect
                   headers, meaning they could be cached downstream.
Issue summary:     Incorrect headers emitted for secured resources
Severity/Risk:     Minor
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Tony Levi
Issue no.:         MDL-38743, MDL-42686
CVE identifier:    CVE-2013-4522
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38743

=======================================================================
MSA-13-0037 (not MSA-13-26): Cross site scripting in Messages

Description:       JavaScript in messages was being executed on some
                   pages.
Issue summary:     Cross Site Scripting in Messages
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Panagiotis Petasis
Issue no.:         MDL-41941
CVE identifier:    CVE-2013-4523
Workaround:        Disable messages
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41941

=======================================================================
MSA-13-0038 (not MSA-13-27): Access to server files through repository

Description:       The file system repository was allowing access
                   to files beyond the Moodle file area.
Issue summary:     File System repository gives read access to the
                   whole file system
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Frédéric Massart
Issue no.:         MDL-41807
CVE identifier:    CVE-2013-4524
Workaround:        Do not enable File System repository (default)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41807

=======================================================================
MSA-13-0039 (not MSA-13-28): Cross site scripting in Quiz

Description:       JavaScript in question answers was being executed on
                   the Quiz Results page.
Issue summary:     XSS on view quiz results page
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.2, 2.4 to 2.4.6, 2.3 to 2.3.9 and
                   earlier unsupported versions
Versions fixed:    2.6, 2.5.3, 2.4.7 and 2.3.10
Reported by:       Michael Hess
Issue no.:         MDL-41820
CVE identifier:    CVE-2013-4525
Workaround:        Disable text-based question types.
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41820

=======================================================================
MSA-13-0040: Cross site scripting vulnerability in YUI library

Description:       Flash files distributed with the YUI library
                   may have allowed for cross-site scripting attacks.
                   This is additional to MSA-13-0025.
Issue summary:     YUI2 security vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.9 and earlier unsupported versions
Versions fixed:    2.3.10
Reported by:       Petr Škoda
Issue no.:         MDL-42780
CVE identifier:    CVE-2013-6780
Workaround:        Remove all SWF files under the lib/yui directory.
Changes (2.3): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42780


  By Date           By Thread  

Current thread:
  • Moodle security notifications public Michael de Raadt (Nov 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault