Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53CC779A.8090404@moodle.com>
Date: Mon, 21 Jul 2014 10:14:50 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0020: Identity confusion in Shibboleth authentication

Description:       Shibboleth was allowing empty session IDs and
                   confusing sessions when more than one instance was
                   associated with an empty ID.
Issue summary:     User taking over other user's session using
                   Shibboleth authentication plugin
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported
                   versions
Versions fixed:    2.5.7 and 2.4.11
Reported by:       Colin Campbell
Issue no.:         MDL-45485
CVE identifier:    CVE-2014-3552
Changes (2.5):
http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485

=======================================================================
MSA-14-0021: Code injection in Repositories

Description:       Serialised data passed by repositories could
                   potentially contain objects defined by add-ons that
                   could include executable code.
Issue summary:     Potential PHP Object Injection in Repositories
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Robin Bailey
Issue no.:         MDL-45616
CVE identifier:    CVE-2014-3541
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616

=======================================================================
MSA-14-0022: XML External Entity vulnerability in LTI module

Description:       It was possible for manipulated XML files passed
                   from LTI servers to be interpreted by Moodle to
                   allow access to server-side files.
Issue summary:     XXE attack through LTI
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       pnig0s@...ebuf
Issue no.:         MDL-45463
CVE identifier:    CVE-2014-3542
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463

=======================================================================
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP

Description:       It was possible for manipulated XML files to be
                   uploaded to the IMSCC course format or the IMSCP
                   resource to allow access to server-side files.
Issue summary:     XXE Vulnerabilities in IMS CC and resource
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       pnig0s@...ebuf
Issue no.:         MDL-45417
CVE identifier:    CVE-2014-3543
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417

=======================================================================
MSA-14-0024: Cross-site scripting vulnerability in profile field

Description:       Filtering of the Skype profile field was not
                   removing potentially harmful code.
Issue summary:     Persistent XSS Found
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Osanda Malith Jayathissa
Issue no.:         MDL-45683
CVE identifier:    CVE-2014-3544
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683

=======================================================================
MSA-14-0025: Remote code execution in Quiz

Description:       It was possible to inject code into Calculated
                   questions that would be executed on the server.
Issue summary:     Remote code execution in quiz calculated question
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Frédéric Massart
Issue no.:         MDL-46148
Workaround:        Disable calculated question types.
CVE identifier:    CVE-2014-3545
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148

=======================================================================
MSA-14-0026: Information leak in profile and notes pages

Description:       It was possible to get limited user information,
                   such as user name and courses, by manipulating the
                   URL of profile and notes pages.
Issue summary:     /user/edit.php reveals account name
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Patrick Webster
Issue no.:         MDL-45760
CVE identifier:    CVE-2014-3546
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760

=======================================================================
MSA-14-0027: Forum group posting issue

Description:       Forum was allowing users who were members of more
                   than one group to post to all groups without
                   the capability to access all groups.
Issue summary:     Forum post to all participants in separate group
Severity/Risk:     Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Jakob Ackermann
Issue no.:         MDL-38990
CVE identifier:    CVE-2014-3553
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990

=======================================================================
MSA-14-0028: Cross-site scripting possible in external badges

Description:       The details of badges from external sources were not
                   being filtered.
Issue summary:     XSS vulnerabilities with external badges
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed:    2.7.1, 2.6.4 and 2.5.7
Reported by:       Frédéric Massart
Issue no.:         MDL-46042
CVE identifier:    CVE-2014-3547
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042

=======================================================================
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues

Description:       Content of exception dialogues presented from AJAX
                   calls was not being escaped before being presented
                   to users.
Issue summary:     Exception dialogs do not escape the content
Severity/Risk:     Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Frédéric Massart
Issue no.:         MDL-45471
CVE identifier:    CVE-2014-354
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471

=======================================================================
MSA-14-0030: Cross-site scripting through logs of failed logins

Description:       Log entries of failed login attempts were not
                   filtered correctly.
Issue summary:     XSS in 'failed login' logs
Severity/Risk:     Serious
Versions affected: 2.7
Versions fixed:    2.7.1
Reported by:       Skylar Kelty
Issue no.:         MDL-46201
CVE identifier:    CVE-2014-3549
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201

=======================================================================
MSA-14-0031: Cross-site scripting though scheduled task error messages

Description:       Error messages generated by scheduled tasks were
                   being presented to admins without correct filtering.
Issue summary:     XSS in scheduled tasks success/error message
Severity/Risk:     Serious
Versions affected: 2.7
Versions fixed:    2.7.1
Reported by:       Skylar Kelty
Issue no.:         MDL-46227
CVE identifier:    CVE-2014-3550
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227

=======================================================================
MSA-14-0032: Cross-site scripting in advanced grading methods

Description:       Fields in rubrics were not being correctly filtered.
Issue summary:     XSS on the (qualification, rating) field by rubric/
                   advanced grading
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Javier E. García Prada
Issue no.:         MDL-46223
CVE identifier:    CVE-2014-3551
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223

=======================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTzHeQAAoJECGmGwK/mszP0jQIANMQ1Z/RbsA/Z9emfLkWge8D
N82mjWT1ct99Glbv4VM8VMdqL0fviBCLom7UaQze2m7q5smM7gQ6mYsJ0yy2EZJ1
yl5ng6hnfQBnbT0/OpOlCrLX1NHjEeQGf9wHWPSEv72Y8PojwBYKL1P6A9y8nC8F
YMA2o+SQiRCHOEXZ9bfhz0iP437vzj+vETaFPzav5+Ge49hbY/i71b2IJES8XpLz
A2MZAdj4eQv+FhQ1Q7cuLWD/za4WyUGRUvxQI6quxxgfFipYB6kJQjSiulXkWvZB
7Q2KrFkM5dBNWeQQen/USzeUAFLvjpab0zZ0Q01QsEeR7Y6nTPaAlL2ganp/8l8=
=f34o
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.