Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20090204130520.GA29045@cream.lancs.ac.uk>
Date: Wed, 4 Feb 2009 13:05:20 +0000
From: Dan Poltawski <talktodan@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVS request - Moodle

Hi,

We have released new versions of Moodle which fixes multiple vulnerabilities 
without CVE numbers.

These are detailed on: http://moodle.org/security/

MSA-09-0004 - XSS vulnerabilities in HTML blocks if "Login as" used 
Versions affected:       < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9 
http://cvs.moodle.org/moodle/blocks/html/config_instance.html?r1=1.6&r2=1.6.10.1
http://cvs.moodle.org/moodle/blocks/html/block_html.php?r1=1.8.22.6&r2=1.8.22.7

MSA-09-0006: Calendar export may allow brute force attacks 
Versions affected:       < 1.9.4, < 1.8.8, < 1.7.7 
http://cvs.moodle.org/moodle/calendar/export_execute.php?r1=1.2.4.5&r2=1.2.4.6

MSA-09-0007: Missing input validation in logs allows potential XSS attacks 
Versions affected:       < 1.9.4, < 1.8.8, < 1.7.7, < 1.6.9 
http://cvs.moodle.org/moodle/course/lib.php?r1=1.538.2.66&r2=1.538.2.67

MSA-09-0008: CSRF vulnerability in forum code 
Versions affected:       < 1.9.4, < 1.8.8, < 1.7.7 
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.14&r2=1.154.2.15
http://cvs.moodle.org/moodle/mod/forum/prune.html?r1=1.8&r2=1.8.4.1
http://cvs.moodle.org/moodle/mod/forum/post.php?r1=1.154.2.15&r2=1.154.2.16

thanks,

Dan Poltawski

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.