oss-sec mailing list archives
Re: CVE Request: moodle 1.9.8, 1.8.2
From: Josh Bressers <bressers () redhat com>
Date: Thu, 1 Apr 2010 15:33:15 -0400 (EDT)
----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:
Hi, Moodle 1.9.8 and 1.8.12 were released with security fixes: http://docs.moodle.org/en/Moodle_1.9.8_release_notes * MSA-10-0001 Vulnerability in KSES text cleaning * MSA-10-0002 XSS vulnerabilty in the phpcas module * MSA-10-0003 Disclosure of full user names * MSA-10-0004 Improved access control in course restore * MSA-10-0005 Incorrect validation of forms data * MSA-10-0006 SQL injection in Wiki module * MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine * MSA-10-0008 Persistent XSS when using Login-as feature * MSA-10-0009 Session fixation prevention now turned on by default
Steve, I'm going to defer this one to MITRE. On that note though, does someone have a Moodle contact, perhaps we could get them to request CVE ids in private before a release, to avoid the backlog that results. The same holds for things like typo3, that seem to often have lots of flaws all at once. Thanks. -- JB
Current thread:
- CVE Request: moodle 1.9.8, 1.8.2 Ludwig Nussel (Apr 01)
- Re: CVE Request: moodle 1.9.8, 1.8.2 Josh Bressers (Apr 01)
- Re: CVE Request: moodle 1.9.8, 1.8.2 Ludwig Nussel (Apr 23)
- Re: CVE Request: moodle 1.9.8, 1.8.2 Steven M. Christey (Apr 29)
- Re: CVE Request: moodle 1.9.8, 1.8.2 Josh Bressers (Apr 01)