oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 21 Jul 2014 10:14:50 +0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following security notifications are now public after release.
Thanks to OSS members for their continued cooperation.
=======================================================================
MSA-14-0020: Identity confusion in Shibboleth authentication
Description: Shibboleth was allowing empty session IDs and
confusing sessions when more than one instance was
associated with an empty ID.
Issue summary: User taking over other user's session using
Shibboleth authentication plugin
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported
versions
Versions fixed: 2.5.7 and 2.4.11
Reported by: Colin Campbell
Issue no.: MDL-45485
CVE identifier: CVE-2014-3552
Changes (2.5):
http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485
=======================================================================
MSA-14-0021: Code injection in Repositories
Description: Serialised data passed by repositories could
potentially contain objects defined by add-ons that
could include executable code.
Issue summary: Potential PHP Object Injection in Repositories
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Robin Bailey
Issue no.: MDL-45616
CVE identifier: CVE-2014-3541
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616
=======================================================================
MSA-14-0022: XML External Entity vulnerability in LTI module
Description: It was possible for manipulated XML files passed
from LTI servers to be interpreted by Moodle to
allow access to server-side files.
Issue summary: XXE attack through LTI
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: pnig0s@freebuf
Issue no.: MDL-45463
CVE identifier: CVE-2014-3542
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463
=======================================================================
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP
Description: It was possible for manipulated XML files to be
uploaded to the IMSCC course format or the IMSCP
resource to allow access to server-side files.
Issue summary: XXE Vulnerabilities in IMS CC and resource
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: pnig0s@freebuf
Issue no.: MDL-45417
CVE identifier: CVE-2014-3543
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417
=======================================================================
MSA-14-0024: Cross-site scripting vulnerability in profile field
Description: Filtering of the Skype profile field was not
removing potentially harmful code.
Issue summary: Persistent XSS Found
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Osanda Malith Jayathissa
Issue no.: MDL-45683
CVE identifier: CVE-2014-3544
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683
=======================================================================
MSA-14-0025: Remote code execution in Quiz
Description: It was possible to inject code into Calculated
questions that would be executed on the server.
Issue summary: Remote code execution in quiz calculated question
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Frédéric Massart
Issue no.: MDL-46148
Workaround: Disable calculated question types.
CVE identifier: CVE-2014-3545
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148
=======================================================================
MSA-14-0026: Information leak in profile and notes pages
Description: It was possible to get limited user information,
such as user name and courses, by manipulating the
URL of profile and notes pages.
Issue summary: /user/edit.php reveals account name
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Patrick Webster
Issue no.: MDL-45760
CVE identifier: CVE-2014-3546
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760
=======================================================================
MSA-14-0027: Forum group posting issue
Description: Forum was allowing users who were members of more
than one group to post to all groups without
the capability to access all groups.
Issue summary: Forum post to all participants in separate group
Severity/Risk: Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Jakob Ackermann
Issue no.: MDL-38990
CVE identifier: CVE-2014-3553
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990
=======================================================================
MSA-14-0028: Cross-site scripting possible in external badges
Description: The details of badges from external sources were not
being filtered.
Issue summary: XSS vulnerabilities with external badges
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed: 2.7.1, 2.6.4 and 2.5.7
Reported by: Frédéric Massart
Issue no.: MDL-46042
CVE identifier: CVE-2014-3547
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042
=======================================================================
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues
Description: Content of exception dialogues presented from AJAX
calls was not being escaped before being presented
to users.
Issue summary: Exception dialogs do not escape the content
Severity/Risk: Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Frédéric Massart
Issue no.: MDL-45471
CVE identifier: CVE-2014-354
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471
=======================================================================
MSA-14-0030: Cross-site scripting through logs of failed logins
Description: Log entries of failed login attempts were not
filtered correctly.
Issue summary: XSS in 'failed login' logs
Severity/Risk: Serious
Versions affected: 2.7
Versions fixed: 2.7.1
Reported by: Skylar Kelty
Issue no.: MDL-46201
CVE identifier: CVE-2014-3549
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201
=======================================================================
MSA-14-0031: Cross-site scripting though scheduled task error messages
Description: Error messages generated by scheduled tasks were
being presented to admins without correct filtering.
Issue summary: XSS in scheduled tasks success/error message
Severity/Risk: Serious
Versions affected: 2.7
Versions fixed: 2.7.1
Reported by: Skylar Kelty
Issue no.: MDL-46227
CVE identifier: CVE-2014-3550
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227
=======================================================================
MSA-14-0032: Cross-site scripting in advanced grading methods
Description: Fields in rubrics were not being correctly filtered.
Issue summary: XSS on the (qualification, rating) field by rubric/
advanced grading
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Javier E. García Prada
Issue no.: MDL-46223
CVE identifier: CVE-2014-3551
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223
=======================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTzHeQAAoJECGmGwK/mszP0jQIANMQ1Z/RbsA/Z9emfLkWge8D
N82mjWT1ct99Glbv4VM8VMdqL0fviBCLom7UaQze2m7q5smM7gQ6mYsJ0yy2EZJ1
yl5ng6hnfQBnbT0/OpOlCrLX1NHjEeQGf9wHWPSEv72Y8PojwBYKL1P6A9y8nC8F
YMA2o+SQiRCHOEXZ9bfhz0iP437vzj+vETaFPzav5+Ge49hbY/i71b2IJES8XpLz
A2MZAdj4eQv+FhQ1Q7cuLWD/za4WyUGRUvxQI6quxxgfFipYB6kJQjSiulXkWvZB
7Q2KrFkM5dBNWeQQen/USzeUAFLvjpab0zZ0Q01QsEeR7Y6nTPaAlL2ganp/8l8=
=f34o
-----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Moodle security notifications public Michael de Raadt (Jul 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 21)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Moodle security notifications public Michael de Raadt (Sep 14)