oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 19 Nov 2012 09:59:15 +0800
The following security notifications have now been made public. Thanks to OSS members for their cooperation.
======================================================================= MSA-12-0057: Access issue through repository Topic: User B is able to see and use Dropbox of User A within Dropbox Repository File Picker Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Alexander Bias Issue no.: MDL-29872, MDL-36366 CVE Identifier: CVE-2012-5471 Workaround: Turn off Dropbox repositoryChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
Description: Users who logged out of Dropbox through the Moodle repository were disconnected in Moodle, but the user's access to Dropbox was still allowed while their browser session continued. ======================================================================= MSA-12-0058: Possible form data manipulation issue Topic: add setConstant() for hardfreeze element Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+ Reported by: Rossiani Wijaya Issue no.: MDL-32785 CVE Identifier: CVE-2012-5472Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
Description: Frozen form elements were open to manipulation when form data was submitted. ======================================================================= MSA-12-0059: Information leak in Database activity module Topic: Members of seperate groups can see Database activity entries for other groups Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Richard Meyer Issue no.: MDL-34448 CVE Identifier: CVE-2012-5473Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
Description: Within the Database activity module, when separate groups were used, members of one group were able to see entries created by members of another group by completing an advanced search. ======================================================================= MSA-12-0060: Cross-site scripting vulnerability in YUI2 Topic: yui2 swf vulnerability Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+ Reported by: Petr Škoda, Jenny Donnelly Issue no.: MDL-36346 CVE Identifier: CVE-2012-5475 Workaround: Delete YUI SWF filesChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description: A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. ======================================================================= MSA-12-0061: Remote code execution through Portfolio API Topic: Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE). Severity/Risk: Serious Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Cristobal Leiva Issue no.: MDL-33791 CVE Identifier: CVE-2012-5479Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description: It was possible, when Moodle data is stored within the Web accessible directory, to manipulate the Portfolio API callbacks to execute a file uploaded by a user. ======================================================================= MSA-12-0062: Information leak in Database activity module Topic: Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ Reported by: Tabitha Roder Issue no.: MDL-35558 CVE Identifier: CVE-2012-5480Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
Description: The setting requiring that a number of entries be posted to a Database activity before others' entries could be viewed could be circumvented using an advanced search. ======================================================================= MSA-12-0063: Information leak in Check Permissions page Topic: Check Permissions page displays entire user base without moodle/role:manage capability Severity/Risk: Minor Versions affected: 2.3 to 2.3.2+ Reported by: Jody Steele Issue no.: MDL-35381 CVE Identifier: CVE-2012-5481Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
Description: The Check Permissions page was allowing non-admin users to see the capabilities of all users, not just users in a course/category.
Current thread:
- Moodle security notifications public Michael de Raadt (Nov 18)