oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 19 May 2014 09:43:47 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0014: Cross-site request forgery possible in Assignment Description: Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users. Issue summary: Cross-Site Request Forgery Severity/Risk: Serious Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10 Reported by: Gerry Hall Issue no.: MDL-44606 CVE identifier: CVE-2014-0213 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606 ======================================================================= MSA-14-0015: Web service token expiry issue for MoodleMobile Description: MoodleMobile web service tokens were not expiring. Issue summary: Tokens created automatically in login/token.php are valid forever Severity/Risk: Minor Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10 Reported by: Juan Leyva Issue no.: MDL-43119 CVE identifier: CVE-2014-0214 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43119 ======================================================================= MSA-14-0016: Anonymous student identity revealed in assignment Description: Some student details were included in assignment marking pages and would have been revealed to screen readers or through code inspection. Issue summary: Blind marking reveals identities to screen readers Severity/Risk: Minor Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10 Reported by: Damyon Wiese Issue no.: MDL-44750 CVE identifier: CVE-2014-0215 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44750 ======================================================================= MSA-14-0017: File access issue in HTML block Description: Access to files linked on HTML blocks on the My home page was not being checked in the correct context allowing access to unauthenticated users. Issue summary: Files linked in HTML blocks on My home are available to non authenticated users Severity/Risk: Minor Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10 Reported by: Mike Wilson Issue no.: MDL-43877 CVE identifier: CVE-2014-0216 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877 ======================================================================= MSA-14-0018: Information leak in courses Description: Details of hidden courses were being revealed to unauthenticated users on enrolment pages by URL manipulation. Issue summary: Hidden course name and summary visible to guests Severity/Risk: Minor Versions affected: 2.6 to 2.6.2 Versions fixed: 2.7 and 2.6.3 Reported by: Marina Glancy Issue no.: MDL-45126 CVE identifier: CVE-2014-0217 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45126 ======================================================================= MSA-14-0019: Reflected XSS in URL downloader repository Description: There was a lack of filtering in the URL downloader repository that could have been exploited for XSS. Issue summary: Reflected Cross site scripting in URL downloader repository Severity/Risk: Serious Versions affected: 2.6 to 2.6.2, 2.5 to 2.5.5, 2.4 to 2.4.9 and earlier unsupported versions Versions fixed: 2.7, 2.6.3, 2.5.6 and 2.4.10 Reported by: Yogendra Sharma Issue no.: MDL-45332 CVE identifier: CVE-2014-0218 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45332 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTeWHTAAoJECGmGwK/mszP2NUH/RyVZBVQC5GO+3ZBGOiuBrtq AvHnBfiKXpk+p5RXnDicHaqtIEdYpFDK7cVdlb3k1xiGZYraNP8b9pefHBk/GZMy QmcKkT78pZj9b7cvs0SiGiksiIpYS3MwmZsWtOCjjH6VawQQL4kpZDoGi8ezyXpJ MiAQ5C069IcoEkrKuBxCsNla+ezFN9+C+PaWPzpCjjf6aHxURFVD2Mv27VNF+Tcv GjlslZ7s8VYmczyt0rM3ZSRQDprhzIlsXXUsEybEAxiakmmBEic0QjNw/Y6aPMHO JjEWDc/QAVP+5eL9HdbNWmbzqtBR9ViTUQqg4idYQK8m2Vuh9O2Yd9GrgBU7ZQM= =dm4s -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Moodle security notifications public Michael de Raadt (May 18)