Date: Mon, 18 Jan 2016 11:56:30 +0800 From: Marina Glancy <marina@...dle.com> To: oss-security@...ts.openwall.com Subject: [vs] moodle security release The following security notifications have now been made public. Thanks to OSS members for their cooperation. Marina Glancy Development Process Manager e: marina@...dle.com p: +61 8 9467 4167 w: moodle.com ============================================================================== MSA-16-0001: Two enrolment-related web services don't check course visibility Description: Web services core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info did not check user permission to access hidden courses Issue summary: External functions core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info don't check course visibility Severity/Risk: Minor Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and earlier unsupported versions Versions fixed: 3.0.2, 2.9.4, 2.8.10 and 2.7.12 Reported by: Juan Leyva Issue no.: MDL-52072 CVE identifier: CVE-2016-0724 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072 ============================================================================== MSA-16-0002: XSS Vulnerability in course management search Description: Search string in course management interface was not escaped when being output creating potential for XSS attack Issue summary: XSS Vulnerability in course management search Severity/Risk: Serious Versions affected: 3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9 Versions fixed: 3.0.2, 2.9.4 and 2.8.10 Reported by: Oliveira Lima Issue no.: MDL-52552 CVE identifier: CVE-2016-0725 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552 ==============================================================================
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.