Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 18 Jan 2016 11:56:30 +0800
From: Marina Glancy <>
Subject: [vs] moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
p: +61 8 9467 4167 w:

MSA-16-0001: Two enrolment-related web services don't check course visibility

Description:       Web services core_enrol_get_course_enrolment_methods and
                   enrol_self_get_instance_info did not check user permission
                   to access hidden courses
Issue summary:     External functions core_enrol_get_course_enrolment_methods
                   and enrol_self_get_instance_info don't check course
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and
                   earlier unsupported versions
Versions fixed:    3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:       Juan Leyva
Issue no.:         MDL-52072
CVE identifier:    CVE-2016-0724
Changes (master):

MSA-16-0002: XSS Vulnerability in course management search

Description:       Search string in course management interface was not
                   escaped when being output creating potential for XSS attack
Issue summary:     XSS Vulnerability in course management search
Severity/Risk:     Serious
Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9
Versions fixed:    3.0.2, 2.9.4 and 2.8.10
Reported by:       Oliveira Lima
Issue no.:         MDL-52552
CVE identifier:    CVE-2016-0725
Changes (master):


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.