[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB_jSYxpK+=zmo2ZdLN0J6aHiy43bjX_8fvPFE3ViGYmB4TG0g@mail.gmail.com>
Date: Mon, 18 May 2015 09:11:24 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security advisories [vs]
Hello,
The following security notifications have now been made public. Thanks
to OSS members for their cooperation.
Marina Glancy
Development Process Manager
marina@...dle.com
+61894674167 | moodle.com
The world's open source learning platform
==============================================================================
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that
Description: Leaving gradebook feedback is a trusted action and such
capabilities in other modules already have XSS mask,
'mod/quiz:grade' was missing this flag.
Issue summary: Quiz manual-grading is an XSS risk, but does not declare
that
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Hugh Davenport
Issue no.: MDL-49941
CVE identifier: CVE-2015-3174
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941
==============================================================================
MSA-15-0019: Possible phishing when redirecting to external site using referer
header
Description: Some error messages in Moodle display button to return to
previous page. Redirecting to non-local referer should not
be allowed as it can potentially be used for phising.
Issue summary: get_referer() used with redirect() can be insecure
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Dingjie Yang
Issue no.: MDL-49179
CVE identifier: CVE-2015-3175
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179
==============================================================================
MSA-15-0020: User fullname disclosure through account confirmation link
Description: On the sites with enabled self-registration not registered
users can retrieve fullname of registered users knowing
their usernames
Issue summary: User fullname disclosure through account confirmation link
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Federico Kirschbaum
Issue no.: MDL-50099
Workaround: Even partial patch (removing one line in
/login/confirm.php) will also resolve security issue
CVE identifier: CVE-2015-3176
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099
==============================================================================
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor
rules
Description: If the site-wide rules exist in the event monitor tool, any
user can subscribe themselves to them and potentially
access information they are not supposed to see.
Issue summary: Any authenticated user can subscribe to site wide event
monitor rules
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5
Versions fixed: 2.9 and 2.8.6
Reported by: Adrian Greeve
Issue no.: MDL-50039
Workaround: Do not use site-wide rules until your site is upgraded
CVE identifier: CVE-2015-3177
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039
==============================================================================
MSA-15-0022: Potential XSS risk when returning text entered by student from
Web Services
Description: If user who is not XSS-trusted attempts to insert the XSS
as part of the input text, it will be cleaned when
displayed on Moodle website but may be displayed uncleaned
in the external application
Issue summary: external_format_text() cleans and formats text incorrectly
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Eloy Lafuente
Issue no.: MDL-49718
CVE identifier: CVE-2015-3178
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
==============================================================================
MSA-15-0023: Suspended user is able to login when confirming email
Description: When self-registration is enabled and user's account was
suspended after creating account but before actually
confirming it, user is still able to login when confirming
email but only once.
Issue summary: Suspended user is able to login when confirming email
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Marina Glancy
Issue no.: MDL-50090
CVE identifier: CVE-2015-3179
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
==============================================================================
MSA-15-0024: User with suspended enrolment can see sections in the navigation
tree
Description: If a user is enrolled in the course but his enrollment is
suspended, they can not access the course but still were
able to see course structure in the navigation block
Issue summary: User with suspended enrolment can see sections in the
navigation tree
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Alex Mitin
Issue no.: MDL-49788
CVE identifier: CVE-2015-3180
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788
==============================================================================
MSA-15-0025: Capability to manage own files is not respected in Web
Services
Description: Users with the revoked capability
'moodle/user:manageownfiles' are still able to upload
private files using deprecated function in Web Services
Issue summary: Users with the manageownfiles disabled are able to upload
private files via Web Services
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier
unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Juan Leyva
Issue no.: MDL-49994
CVE identifier: CVE-2015-3181
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994
==============================================================================
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
