oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: moodle 1.9.8, 1.8.2

From: Josh Bressers <bressers () redhat com>
Date: Thu, 1 Apr 2010 15:33:15 -0400 (EDT)

----- "Ludwig Nussel" <ludwig.nussel () suse de> wrote:


Hi,

Moodle 1.9.8 and 1.8.12 were released with security fixes:
http://docs.moodle.org/en/Moodle_1.9.8_release_notes
* MSA-10-0001 Vulnerability in KSES text cleaning
* MSA-10-0002 XSS vulnerabilty in the phpcas module
* MSA-10-0003 Disclosure of full user names
* MSA-10-0004 Improved access control in course restore
* MSA-10-0005 Incorrect validation of forms data
* MSA-10-0006 SQL injection in Wiki module
* MSA-10-0007 Reflective Cross Site Scripting (XSS) in the Moodle
Global Search Engine
* MSA-10-0008 Persistent XSS when using Login-as feature
* MSA-10-0009 Session fixation prevention now turned on by default



Steve,

I'm going to defer this one to MITRE.

On that note though, does someone have a Moodle contact, perhaps we could
get them to request CVE ids in private before a release, to avoid the
backlog that results.

The same holds for things like typo3, that seem to often have lots of flaws
all at once.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: