oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Moodle security notifications public

From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 20 Jan 2014 08:59:55 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0001: Config passwords visibility issue

Description:       Some password changes on admin pages were being
                   recorded and shown to administrators in the config
                   log report.
Issue summary:     Config Changes Report reveals passwords as plain
                   text
Severity/Risk:     Minor
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7 and earlier
                   unsupported versions
Versions fixed:    2.6.1, 2.5.4 and 2.4.8
Reported by:       Andrew Steele
Issue no.:         MDL-36721
CVE identifier:    CVE-2014-0008
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36721

=======================================================================
MSA-14-0002: Group constraints lacking in "login as"

Description:       Users were able to log in as a user who in a is not
                   in the same group without the permission to see all
                   groups.
Issue summary:     Users with loginas permission and access all groups
                   prohibited can login as user not in their group by
                   direct url
Severity/Risk:     Minor
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and
                   earlier unsupported versions
Versions fixed:    2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:       Itamar Tzadok
Issue no.:         MDL-42643
CVE identifier:    CVE-2014-0009
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42643

=======================================================================
MSA-14-0003: Cross-site request forgery vulnerability in profile fields

Description:       Custom profile fields and categories were open to
                   deletion without proper session checking.
Issue summary:     Two Cross-site Request Forgery(CSRF) vulnerabilities
                   found in /user/profile/index.php
Severity/Risk:     Serious
Versions affected: 2.6, 2.5 to 2.5.4, 2.4 to 2.4.7, 2.3 to 2.3.10 and
                   earlier unsupported versions
Versions fixed:    2.6.1, 2.5.4, 2.4.8 and 2.3.11
Reported by:       Jun Zhu
Issue no.:         MDL-42883
CVE identifier:    CVE-2014-0010
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-42883
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJS3HS7AAoJECGmGwK/mszPKxMIAIkiFaKtzEKI/3n4TOqU5AcF
Mkm4k60lQgXxRYVptpReDqCUEX08oI86rCtz8vqNx0p04nerhd54An6l9E6uRQrg
40uHGR++LkD2ULflZyFPyQl+GgzGiuAtkvlIq84k5t5WtpkfqQi9DA5GMEpRzu4G
26yCd1oaVKPr22vLfGGbjtYdDHaSGTEdFuB6hvDM5pl7WsTzNg35n9Bwb7QnmbqL
saMiPrRJ8uVgDqP6roZDuidMTdOcxHPfAxuv4pNhkTbjmB4jtYs7Wz91sbqX90cb
u8LbFygvgZ5UnjuCxVlycL/MLaMDr8ucfl1tVBWp/iBzipd0AOh6zurI1tijORs=
=xb4F
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Previous By Date Next
Previous By Thread Next

Current thread: