[<prev] [next>] [day] [month] [year] [list]
Message-ID: <519ABFAE.9030400@moodle.com>
Date: Tue, 21 May 2013 08:28:30 +0800
From: Michael de Raadt <michaeld@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security notifications public
The following security notifications are now public. Thanks to OSS
members for their cooperation.
=======================================================================
MSA-13-0020: Capability issue in Assignment
Description: The assignment module was not checking capabilities
for users downloading all assignments as a zip.
Issue summary: Students can download assignments submitted by other
students
Severity/Risk: Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed: 2.5, 2.4.4 and 2.3.7
Reported by: Phillip Franks
Issue no.: MDL-38443
CVE Identifier: CVE-2013-2079
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
=======================================================================
MSA-13-0021: Potential information leak in Gradebook
Description: The Gradebook's Overview report was showing grade
totals that may have incorrectly included hidden
grades.
Issue summary: The method for figuring out
showtotalsifcontainhidden on the overview report is
flawed
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4 and 2.3.7
Reported by: Andrew Davis
Issue no.: MDL-37475
CVE Identifier: CVE-2013-2080
Workaround: Ensure all courses have the same value for hiding
grades in the gradebook. This is set at
Administration > Grades > Course grade settings >
Hide totals if they contain hidden items
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475
=======================================================================
MSA-13-0022: Information leak in hub registration
Description: When registering a site on a hub (not Moodle.net)
site information was being sent to the hub
regardless of settings chosen.
Issue summary: Moodle send site information to a hub even though
it's unchecked
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Jérôme Mouneyrac
Issue no.: MDL-37822
CVE Identifier: CVE-2013-2081
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822
=======================================================================
MSA-13-0023: Permission issue in blog comments
Description: There was no check of permissions for viewing
comments on blog posts.
Issue summary: Blog comment validation should verify that the user
can view a post.
Severity/Risk: Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Dan Poltawski
Issue no.: MDL-37245
CVE Identifier: CVE-2013-2082
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245
=======================================================================
MSA-13-0024: Form filtering issue
Description: Form elements named using a specific naming
scheme were not being filtered correctly
Issue summary: Elements named foo[i] are not cleaned properly
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Dan Poltawski
Issue no.: MDL-38885
CVE Identifier: CVE-2013-2083
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
