Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 17 Mar 2014 13:00:19 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0004: Incorrect filtering in Quiz

Description:       Question strings were not being filtered correctly
                   possibly allowing cross site scripting.
Issue summary:     quiz_question_tostring can cause invalid HTML
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tim Hunt
Issue no.:         MDL-43690, MDL-43846
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690

=======================================================================
MSA-14-0005: Access issue in Feedback activity

Description:       It was possible to start a Feedback activity while
                   it was supposed to be closed.
Issue summary:     Feedback Availability dates not honored in
                   complete.php
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tomasz Muras
Issue no.:         MDL-43656
CVE identifier:    CVE-2014-0127
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656

=======================================================================
MSA-14-0006: Capability issue in Chat

Description:       Capabilities to chat were being checked at the start
                   of a chat, but not during, so changes were not
                   effective immediately.
Issue summary:     Broken access control vulnerability with
                   /mod/chat/chat_ajax.php
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Jun Zhu
Issue no.:         MDL-44082
CVE identifier:    CVE-2014-0122
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082

=======================================================================
MSA-14-0007: Access issue in Wiki

Description:       There were missing access checks on Wiki pages
                   allowing students to see pages of other students'
                   individual wikis.
Issue summary:     Students able to see others' Individual wiki through
                   the Recent activity block
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Monash University VLE team
Issue no.:         MDL-39990
CVE identifier:    CVE-2014-0123
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39990

=======================================================================
MSA-14-0008: Cross site scripting potential in Flowplayer

Description:       Cross site scripting was possible with Flowplayer
Issue summary:     Upgrade flowplayer
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Andrew Nicols, Simon Coggins
Issue no.:         MDL-43344
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344

=======================================================================
MSA-14-0009: Identity information leak in Forum and Quiz

Description:       Forum and Quiz were showing users' email addresses
                   when settings were supposed to be preventing this.
Issue summary:     User email addresses shown when setting and
                   capabilities do not allow it
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Maria Torres
Issue no.:         MDL-43916
CVE identifier:    CVE-2014-0124
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916

=======================================================================
MSA-14-0010: Identity information leak in Alfresco Repository

Description:       Alias links to items in an Alfresco repository were
                   provided with information that would allow someone
                   to impersonate the file owner in Alfresco.
Issue summary:     Alfresco Repository - external links make Alfresco
                   vulnerable to impersonation attack
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Ryan Herring
Issue no.:         MDL-29409
CVE identifier:    CVE-2014-0125
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409

=======================================================================
MSA-14-0011: Cross site request forgery potential in IMS enrolments

Description:       There was inadequate session checking when
                   triggering the import of IMS Enterprise identities.
Issue summary:     Cross Site Request Forgery in
                   enrol/imsenterprise/importnow.php
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tyler William Thomas
Issue no.:         MDL-43146
CVE identifier:    CVE-2014-0126
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146

=======================================================================
MSA-14-0012: Access issue in Badges

Description:       It was possible for authenticated users to toggle
                   the visibility of other users' badges.
Issue summary:     logged user can change badge status (visible field)
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1 and 2.5 to 2.5.4
Versions fixed:    2.6.2 and 2.5.5
Reported by:       Adrian Lorenc
Issue no.:         MDL-44140
CVE identifier:    CVE-2014-0129
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140

=======================================================================
MSA-14-0013: Unfiltered data used in Assignment web services

Description:       Assignment web service functions were not correctly
                   cleaning function parameters allowing alteration
                   of assignment grade related information.
Issue summary:     Review mod/assign external functions
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1
Versions fixed:    2.6.2
Reported by:       Eloy Lafuente
Issue no.:         MDL-43468
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTJoFjAAoJECGmGwK/mszP1k4H/32I70/wA3HukA7qmpmWvcRF
teQ1/uAYXTMiFsG29DI/pCQLW6xNcEceaIy6vYIFAiH/6nUcIgT7bwxzi51e+WQQ
LYDmG4sGWiNaRxxFUTb3z9RqYWlxeNg9aqm+04D0OHhCIcKDwRkx422ATsQ5T/Zv
taG/p/WdS12ljcE5SGM+oIIPbwpG9eSV4LNiUY4OVO7NECgjZucvSXj4lwxLZ6DW
6yd8wdt90IMqOKptKJ2fPxeDevemLnMPcr8A4EhOROjm7pQvr1GXEs0YWHAnMhK8
SVMrsAv7YYnH9ljJXfV9DPQKMLn2CJW7DKjM0y1s3PL2r0UXXoSLYOfQusHGhpQ=
=cf4P
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.