Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Jan 2016 11:56:30 +0800
From: Marina Glancy <>
Subject: [vs] moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
p: +61 8 9467 4167 w:

MSA-16-0001: Two enrolment-related web services don't check course visibility

Description:       Web services core_enrol_get_course_enrolment_methods and
                   enrol_self_get_instance_info did not check user permission
                   to access hidden courses
Issue summary:     External functions core_enrol_get_course_enrolment_methods
                   and enrol_self_get_instance_info don't check course
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and
                   earlier unsupported versions
Versions fixed:    3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:       Juan Leyva
Issue no.:         MDL-52072
CVE identifier:    CVE-2016-0724
Changes (master):

MSA-16-0002: XSS Vulnerability in course management search

Description:       Search string in course management interface was not
                   escaped when being output creating potential for XSS attack
Issue summary:     XSS Vulnerability in course management search
Severity/Risk:     Serious
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9
Versions fixed:    3.0.2, 2.9.4 and 2.8.10
Reported by:       Oliveira Lima
Issue no.:         MDL-52552
CVE identifier:    CVE-2016-0725
Changes (master):


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ