oss-sec mailing list archives
Moodle security release
From: Marina Glancy <marina () moodle com>
Date: Mon, 21 Sep 2015 09:51:24 +0800
The following security notifications have now been made public. Thanks to OSS members for their cooperation. Marina Glancy Development Process Manager marina () moodle com +61894674167 | moodle.com The world's open source learning platform ============================================================================== MSA-15-0030: Students can re-attempt answering questions in the lesson Description: Completed and graded lesson activity was not protected against making new attempt to answer some questions Issue summary: Students can re-attempt answering questions in the lesson Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Eric Eakin Issue no.: MDL-50516 CVE identifier: CVE-2015-5264 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516 ============================================================================== MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of Description: Group access is not properly checked when posting to "all participants" in forum Issue summary: Teacher without accessallgroups can still post to "all participants" and groups they're not members of Severity/Risk: Minor Versions affected: 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.7.10 Reported by: David Scotson Issue no.: MDL-50576 CVE identifier: CVE-2015-5272 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576 ============================================================================== MSA-15-0032: Users can delete files uploaded by other users in wiki Description: Users can delete files uploaded by other users in wiki without capability to manage files Issue summary: Disable free access to the file manager in the wiki via the text editor. Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: John Provasnik Issue no.: MDL-48371 CVE identifier: CVE-2015-5265 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371 ============================================================================== MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time Description: On large installations, when sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes Issue summary: Meta course sync enroling suspended students as managers and causing large database growth Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Brian Winstead Issue no.: MDL-50744 CVE identifier: CVE-2015-5266 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744 ============================================================================== MSA-15-0034: Vulnerability in password recovery mechanism Description: Password recovery token can be guessed because of php randomisation limitations Issue summary: Vulnerability in password recovery mechanism Severity/Risk: Serious Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Vincent Herbulot (@us3r777) Issue no.: MDL-50860 CVE identifier: CVE-2015-5267 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860 ============================================================================== MSA-15-0035: Rating component does not check separate groups Description: When viewing ratings the group access was not properly checked allowing users from other groups to view ratings Issue summary: Rating component does not check separate groups Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Juan Leyva Issue no.: MDL-50173 CVE identifier: CVE-2015-5268 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173 ============================================================================== MSA-15-0036: XSS in grouping description Description: Capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description Issue summary: XSS in grouping description Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Marina Glancy Issue no.: MDL-50709 CVE identifier: CVE-2015-5269 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709 ==============================================================================
Current thread:
- Moodle security release Marina Glancy (Sep 20)