|
Message-ID: <53CC779A.8090404@moodle.com>
Date: Mon, 21 Jul 2014 10:14:50 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The following security notifications are now public after release.
Thanks to OSS members for their continued cooperation.
=======================================================================
MSA-14-0020: Identity confusion in Shibboleth authentication
Description: Shibboleth was allowing empty session IDs and
confusing sessions when more than one instance was
associated with an empty ID.
Issue summary: User taking over other user's session using
Shibboleth authentication plugin
Severity/Risk: Serious
Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported
versions
Versions fixed: 2.5.7 and 2.4.11
Reported by: Colin Campbell
Issue no.: MDL-45485
CVE identifier: CVE-2014-3552
Changes (2.5):
http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485
=======================================================================
MSA-14-0021: Code injection in Repositories
Description: Serialised data passed by repositories could
potentially contain objects defined by add-ons that
could include executable code.
Issue summary: Potential PHP Object Injection in Repositories
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Robin Bailey
Issue no.: MDL-45616
CVE identifier: CVE-2014-3541
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616
=======================================================================
MSA-14-0022: XML External Entity vulnerability in LTI module
Description: It was possible for manipulated XML files passed
from LTI servers to be interpreted by Moodle to
allow access to server-side files.
Issue summary: XXE attack through LTI
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: pnig0s@...ebuf
Issue no.: MDL-45463
CVE identifier: CVE-2014-3542
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463
=======================================================================
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP
Description: It was possible for manipulated XML files to be
uploaded to the IMSCC course format or the IMSCP
resource to allow access to server-side files.
Issue summary: XXE Vulnerabilities in IMS CC and resource
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: pnig0s@...ebuf
Issue no.: MDL-45417
CVE identifier: CVE-2014-3543
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417
=======================================================================
MSA-14-0024: Cross-site scripting vulnerability in profile field
Description: Filtering of the Skype profile field was not
removing potentially harmful code.
Issue summary: Persistent XSS Found
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Osanda Malith Jayathissa
Issue no.: MDL-45683
CVE identifier: CVE-2014-3544
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683
=======================================================================
MSA-14-0025: Remote code execution in Quiz
Description: It was possible to inject code into Calculated
questions that would be executed on the server.
Issue summary: Remote code execution in quiz calculated question
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Frédéric Massart
Issue no.: MDL-46148
Workaround: Disable calculated question types.
CVE identifier: CVE-2014-3545
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148
=======================================================================
MSA-14-0026: Information leak in profile and notes pages
Description: It was possible to get limited user information,
such as user name and courses, by manipulating the
URL of profile and notes pages.
Issue summary: /user/edit.php reveals account name
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Patrick Webster
Issue no.: MDL-45760
CVE identifier: CVE-2014-3546
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760
=======================================================================
MSA-14-0027: Forum group posting issue
Description: Forum was allowing users who were members of more
than one group to post to all groups without
the capability to access all groups.
Issue summary: Forum post to all participants in separate group
Severity/Risk: Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Jakob Ackermann
Issue no.: MDL-38990
CVE identifier: CVE-2014-3553
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990
=======================================================================
MSA-14-0028: Cross-site scripting possible in external badges
Description: The details of badges from external sources were not
being filtered.
Issue summary: XSS vulnerabilities with external badges
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed: 2.7.1, 2.6.4 and 2.5.7
Reported by: Frédéric Massart
Issue no.: MDL-46042
CVE identifier: CVE-2014-3547
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042
=======================================================================
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues
Description: Content of exception dialogues presented from AJAX
calls was not being escaped before being presented
to users.
Issue summary: Exception dialogs do not escape the content
Severity/Risk: Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Frédéric Massart
Issue no.: MDL-45471
CVE identifier: CVE-2014-354
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471
=======================================================================
MSA-14-0030: Cross-site scripting through logs of failed logins
Description: Log entries of failed login attempts were not
filtered correctly.
Issue summary: XSS in 'failed login' logs
Severity/Risk: Serious
Versions affected: 2.7
Versions fixed: 2.7.1
Reported by: Skylar Kelty
Issue no.: MDL-46201
CVE identifier: CVE-2014-3549
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201
=======================================================================
MSA-14-0031: Cross-site scripting though scheduled task error messages
Description: Error messages generated by scheduled tasks were
being presented to admins without correct filtering.
Issue summary: XSS in scheduled tasks success/error message
Severity/Risk: Serious
Versions affected: 2.7
Versions fixed: 2.7.1
Reported by: Skylar Kelty
Issue no.: MDL-46227
CVE identifier: CVE-2014-3550
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227
=======================================================================
MSA-14-0032: Cross-site scripting in advanced grading methods
Description: Fields in rubrics were not being correctly filtered.
Issue summary: XSS on the (qualification, rating) field by rubric/
advanced grading
Severity/Risk: Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
earlier unsupported versions
Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by: Javier E. García Prada
Issue no.: MDL-46223
CVE identifier: CVE-2014-3551
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223
=======================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTzHeQAAoJECGmGwK/mszP0jQIANMQ1Z/RbsA/Z9emfLkWge8D
N82mjWT1ct99Glbv4VM8VMdqL0fviBCLom7UaQze2m7q5smM7gQ6mYsJ0yy2EZJ1
yl5ng6hnfQBnbT0/OpOlCrLX1NHjEeQGf9wHWPSEv72Y8PojwBYKL1P6A9y8nC8F
YMA2o+SQiRCHOEXZ9bfhz0iP437vzj+vETaFPzav5+Ge49hbY/i71b2IJES8XpLz
A2MZAdj4eQv+FhQ1Q7cuLWD/za4WyUGRUvxQI6quxxgfFipYB6kJQjSiulXkWvZB
7Q2KrFkM5dBNWeQQen/USzeUAFLvjpab0zZ0Q01QsEeR7Y6nTPaAlL2ganp/8l8=
=f34o
-----END PGP SIGNATURE-----
Download attachment "smime.p7s" of type "application/pkcs7-signature" (3748 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.