[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAB_jSYzUXixCi2=9Eoh0iWn+fGPmQMGJ7_eRYvde-g3cNAHMOw@mail.gmail.com>
Date: Mon, 21 Sep 2015 09:51:24 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security release
The following security notifications have now been made public. Thanks
to OSS members for their cooperation.
Marina Glancy
Development Process Manager
marina@...dle.com
+61894674167 | moodle.com
The world's open source learning platform
==============================================================================
MSA-15-0030: Students can re-attempt answering questions in the lesson
Description: Completed and graded lesson activity was not protected
against making new attempt to answer some questions
Issue summary: Students can re-attempt answering questions in the lesson
Severity/Risk: Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: Eric Eakin
Issue no.: MDL-50516
CVE identifier: CVE-2015-5264
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516
==============================================================================
MSA-15-0031: Teacher in forum can still post to "all participants" and groups
they are not members of
Description: Group access is not properly checked when posting to "all
participants" in forum
Issue summary: Teacher without accessallgroups can still post to "all
participants" and groups they're not members of
Severity/Risk: Minor
Versions affected: 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed: 2.7.10
Reported by: David Scotson
Issue no.: MDL-50576
CVE identifier: CVE-2015-5272
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576
==============================================================================
MSA-15-0032: Users can delete files uploaded by other users in wiki
Description: Users can delete files uploaded by other users in wiki
without capability to manage files
Issue summary: Disable free access to the file manager in the wiki via the
text editor.
Severity/Risk: Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: John Provasnik
Issue no.: MDL-48371
CVE identifier: CVE-2015-5265
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371
==============================================================================
MSA-15-0033: Meta course synchronisation enrols suspended students as managers
for a short period of time
Description: On large installations, when sync script takes a long time,
suspended students may get assigned a manager role in meta
course for several minutes
Issue summary: Meta course sync enroling suspended students as managers
and causing large database growth
Severity/Risk: Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: Brian Winstead
Issue no.: MDL-50744
CVE identifier: CVE-2015-5266
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744
==============================================================================
MSA-15-0034: Vulnerability in password recovery mechanism
Description: Password recovery token can be guessed because of php
randomisation limitations
Issue summary: Vulnerability in password recovery mechanism
Severity/Risk: Serious
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: Vincent Herbulot (@us3r777)
Issue no.: MDL-50860
CVE identifier: CVE-2015-5267
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860
==============================================================================
MSA-15-0035: Rating component does not check separate groups
Description: When viewing ratings the group access was not properly
checked allowing users from other groups to view ratings
Issue summary: Rating component does not check separate groups
Severity/Risk: Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: Juan Leyva
Issue no.: MDL-50173
CVE identifier: CVE-2015-5268
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173
==============================================================================
MSA-15-0036: XSS in grouping description
Description: Capability to manage groups does not have XSS risk, however
it was possible to add XSS to the grouping description
Issue summary: XSS in grouping description
Severity/Risk: Minor
Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier
unsupported versions
Versions fixed: 2.9.2, 2.8.8 and 2.7.10
Reported by: Marina Glancy
Issue no.: MDL-50709
CVE identifier: CVE-2015-5269
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709
==============================================================================
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
