Home page logo
/

oss-sec logo oss-sec mailing list archives

Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 19 May 2014 09:43:47 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0014: Cross-site request forgery possible in Assignment

Description:       Session checking was not being performed correctly
                   in Assignment's quick-grading, allowing forged
                   requests to be made unknowingly by authenticated
                   users.
Issue summary:     Cross-Site Request Forgery
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Gerry Hall
Issue no.:         MDL-44606
CVE identifier:    CVE-2014-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606

=======================================================================
MSA-14-0015: Web service token expiry issue for MoodleMobile

Description:       MoodleMobile web service tokens were not expiring.
Issue summary:     Tokens created automatically in login/token.php are
                   valid forever
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Juan Leyva
Issue no.:         MDL-43119
CVE identifier:    CVE-2014-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119

=======================================================================
MSA-14-0016: Anonymous student identity revealed in assignment

Description:       Some student details were included in assignment
                   marking pages and would have been revealed to
                   screen readers or through code inspection.
Issue summary:     Blind marking reveals identities to screen readers
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Damyon Wiese
Issue no.:         MDL-44750
CVE identifier:    CVE-2014-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750

=======================================================================
MSA-14-0017: File access issue in HTML block

Description:       Access to files linked on HTML blocks on the My home
                   page was not being checked in the correct context
                   allowing access to unauthenticated users.
Issue summary:     Files linked in HTML blocks on My home are available
                   to non authenticated users
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Mike Wilson
Issue no.:         MDL-43877
CVE identifier:    CVE-2014-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

=======================================================================
MSA-14-0018: Information leak in courses

Description:       Details of hidden courses were being revealed to
                   unauthenticated users on enrolment pages by URL
                   manipulation.
Issue summary:     Hidden course name and summary visible to guests
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.2
Versions fixed:    2.7 and 2.6.3
Reported by:       Marina Glancy
Issue no.:         MDL-45126
CVE identifier:    CVE-2014-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126

=======================================================================
MSA-14-0019: Reflected XSS in URL downloader repository

Description:       There was a lack of filtering in the URL downloader
                   repository that could have been exploited for XSS.
Issue summary:     Reflected Cross site scripting in URL downloader
                   repository
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and
                   earlier unsupported versions
Versions fixed:    2.7, 2.6.3, 2.5.6 and 2.4.10
Reported by:       Yogendra Sharma
Issue no.:         MDL-45332
CVE identifier:    CVE-2014-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTeWHTAAoJECGmGwK/mszP2NUH/RyVZBVQC5GO+3ZBGOiuBrtq
AvHnBfiKXpk+p5RXnDicHaqtIEdYpFDK7cVdlb3k1xiGZYraNP8b9pefHBk/GZMy
QmcKkT78pZj9b7cvs0SiGiksiIpYS3MwmZsWtOCjjH6VawQQL4kpZDoGi8ezyXpJ
MiAQ5C069IcoEkrKuBxCsNla+ezFN9+C+PaWPzpCjjf6aHxURFVD2Mv27VNF+Tcv
GjlslZ7s8VYmczyt0rM3ZSRQDprhzIlsXXUsEybEAxiakmmBEic0QjNw/Y6aPMHO
JjEWDc/QAVP+5eL9HdbNWmbzqtBR9ViTUQqg4idYQK8m2Vuh9O2Yd9GrgBU7ZQM=
=dm4s
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


  By Date           By Thread  

Current thread:
  • Moodle security notifications public Michael de Raadt (May 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]