Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 21 Jul 2014 10:14:50 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following security notifications are now public after release.

Thanks to OSS members for their continued cooperation.

=======================================================================
MSA-14-0020: Identity confusion in Shibboleth authentication

Description:       Shibboleth was allowing empty session IDs and
                   confusing sessions when more than one instance was
                   associated with an empty ID.
Issue summary:     User taking over other user's session using
                   Shibboleth authentication plugin
Severity/Risk:     Serious
Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported
                   versions
Versions fixed:    2.5.7 and 2.4.11
Reported by:       Colin Campbell
Issue no.:         MDL-45485
CVE identifier:    CVE-2014-3552
Changes (2.5):
http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485

=======================================================================
MSA-14-0021: Code injection in Repositories

Description:       Serialised data passed by repositories could
                   potentially contain objects defined by add-ons that
                   could include executable code.
Issue summary:     Potential PHP Object Injection in Repositories
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Robin Bailey
Issue no.:         MDL-45616
CVE identifier:    CVE-2014-3541
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616

=======================================================================
MSA-14-0022: XML External Entity vulnerability in LTI module

Description:       It was possible for manipulated XML files passed
                   from LTI servers to be interpreted by Moodle to
                   allow access to server-side files.
Issue summary:     XXE attack through LTI
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       pnig0s@...ebuf
Issue no.:         MDL-45463
CVE identifier:    CVE-2014-3542
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463

=======================================================================
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP

Description:       It was possible for manipulated XML files to be
                   uploaded to the IMSCC course format or the IMSCP
                   resource to allow access to server-side files.
Issue summary:     XXE Vulnerabilities in IMS CC and resource
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       pnig0s@...ebuf
Issue no.:         MDL-45417
CVE identifier:    CVE-2014-3543
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417

=======================================================================
MSA-14-0024: Cross-site scripting vulnerability in profile field

Description:       Filtering of the Skype profile field was not
                   removing potentially harmful code.
Issue summary:     Persistent XSS Found
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Osanda Malith Jayathissa
Issue no.:         MDL-45683
CVE identifier:    CVE-2014-3544
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683

=======================================================================
MSA-14-0025: Remote code execution in Quiz

Description:       It was possible to inject code into Calculated
                   questions that would be executed on the server.
Issue summary:     Remote code execution in quiz calculated question
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Frédéric Massart
Issue no.:         MDL-46148
Workaround:        Disable calculated question types.
CVE identifier:    CVE-2014-3545
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148

=======================================================================
MSA-14-0026: Information leak in profile and notes pages

Description:       It was possible to get limited user information,
                   such as user name and courses, by manipulating the
                   URL of profile and notes pages.
Issue summary:     /user/edit.php reveals account name
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Patrick Webster
Issue no.:         MDL-45760
CVE identifier:    CVE-2014-3546
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760

=======================================================================
MSA-14-0027: Forum group posting issue

Description:       Forum was allowing users who were members of more
                   than one group to post to all groups without
                   the capability to access all groups.
Issue summary:     Forum post to all participants in separate group
Severity/Risk:     Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Jakob Ackermann
Issue no.:         MDL-38990
CVE identifier:    CVE-2014-3553
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990

=======================================================================
MSA-14-0028: Cross-site scripting possible in external badges

Description:       The details of badges from external sources were not
                   being filtered.
Issue summary:     XSS vulnerabilities with external badges
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed:    2.7.1, 2.6.4 and 2.5.7
Reported by:       Frédéric Massart
Issue no.:         MDL-46042
CVE identifier:    CVE-2014-3547
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042

=======================================================================
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues

Description:       Content of exception dialogues presented from AJAX
                   calls was not being escaped before being presented
                   to users.
Issue summary:     Exception dialogs do not escape the content
Severity/Risk:     Minor
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Frédéric Massart
Issue no.:         MDL-45471
CVE identifier:    CVE-2014-354
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471

=======================================================================
MSA-14-0030: Cross-site scripting through logs of failed logins

Description:       Log entries of failed login attempts were not
                   filtered correctly.
Issue summary:     XSS in 'failed login' logs
Severity/Risk:     Serious
Versions affected: 2.7
Versions fixed:    2.7.1
Reported by:       Skylar Kelty
Issue no.:         MDL-46201
CVE identifier:    CVE-2014-3549
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201

=======================================================================
MSA-14-0031: Cross-site scripting though scheduled task error messages

Description:       Error messages generated by scheduled tasks were
                   being presented to admins without correct filtering.
Issue summary:     XSS in scheduled tasks success/error message
Severity/Risk:     Serious
Versions affected: 2.7
Versions fixed:    2.7.1
Reported by:       Skylar Kelty
Issue no.:         MDL-46227
CVE identifier:    CVE-2014-3550
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227

=======================================================================
MSA-14-0032: Cross-site scripting in advanced grading methods

Description:       Fields in rubrics were not being correctly filtered.
Issue summary:     XSS on the (qualification, rating) field by rubric/
                   advanced grading
Severity/Risk:     Serious
Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and
                   earlier unsupported versions
Versions fixed:    2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:       Javier E. García Prada
Issue no.:         MDL-46223
CVE identifier:    CVE-2014-3551
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223

=======================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTzHeQAAoJECGmGwK/mszP0jQIANMQ1Z/RbsA/Z9emfLkWge8D
N82mjWT1ct99Glbv4VM8VMdqL0fviBCLom7UaQze2m7q5smM7gQ6mYsJ0yy2EZJ1
yl5ng6hnfQBnbT0/OpOlCrLX1NHjEeQGf9wHWPSEv72Y8PojwBYKL1P6A9y8nC8F
YMA2o+SQiRCHOEXZ9bfhz0iP437vzj+vETaFPzav5+Ge49hbY/i71b2IJES8XpLz
A2MZAdj4eQv+FhQ1Q7cuLWD/za4WyUGRUvxQI6quxxgfFipYB6kJQjSiulXkWvZB
7Q2KrFkM5dBNWeQQen/USzeUAFLvjpab0zZ0Q01QsEeR7Y6nTPaAlL2ganp/8l8=
=f34o
-----END PGP SIGNATURE-----


[ CONTENT OF TYPE application/pkcs7-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ