Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Jan 2015 10:09:06 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: Moodle security issues are now public

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Sincerely,
Marina Glancy
Development Process Manager
Moodle HQ



==============================================================================
MSA-15-0001: Insufficient access check in LTI module

Description:       Absence of capability check in AJAX backend script could
                   allow any enrolled user to search the list of registered
                   tools
Issue summary:     mod/lti/ajax.php security problems
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-47920
CVE identifier:    CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920

==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page

Description:       Course summary on course request pending approval page was
                   displayed to the manager unescaped and could be used for
                   XSS attack
Issue summary:     XSS in course request pending approval page (Privilege
                   Escalation?)
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Skylar Kelty
Issue no.:         MDL-48368
Workaround:        Grant permission moodle/course:request only to trusted
                   users
CVE identifier:    CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368

==============================================================================
MSA-15-0003: CSRF possible in Glossary module

Description:       Two files in the Glossary module lacked a session key check
                   potentially allowing cross-site request forgery
Issue summary:     Multiple CSRF in mod glossary
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Ankit Agarwal
Issue no.:         MDL-48106
CVE identifier:    CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106

==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services

Description:       Through web-services it was possible to access
                   messaging-related functions such as people search even if
                   messaging is disabled on the site
Issue summary:     Messages external functions doesn't check if messaging is
                   enabled
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Juan Leyva
Issue no.:         MDL-48329
Workaround:        Disable web services or disable individual message-related
                   functions
CVE identifier:    CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329

==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services

Description:       Through web-services it was possible to get information
                   about calendar events which user did not have enough
                   permissions to see
Issue summary:     calendar/externallib.php lacks
                   self::validate_context($context);
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-48017
CVE identifier:    CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017

==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask

Description:       Users with capability to grade in Lesson module were not
                   reported as users with XSS risk but their feedback was
                   displayed without cleaning
Issue summary:     mod/lesson:grade capability missing RISK_XSS but essay
                   feedback is displayed with noclean=true
Severity/Risk:     Minor
Versions affected: 2.8 to 2.8.1
Versions fixed:    2.8.2
Reported by:       Damyon Wiese
Issue no.:         MDL-48034
CVE identifier:    CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034

==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter

Description:       Not optimal regular expression in the filter could be
                   exploited to create extra server load or make particular
                   page unavailable
Issue summary:     ReDOS in the multimedia filter
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Nicolas Martignoni
Issue no.:         MDL-48546
Workaround:        Disable multimedia filter
CVE identifier:    CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546

==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin

Description:       It was possible to forge a request to logout users even
                   when not authenticated through Shibboleth
Issue summary:     Forced logout via auth/shibboleth/logout.php
Severity/Risk:     Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
                   unsupported versions
Versions fixed:    2.8.2, 2.7.4 and 2.6.7
Reported by:       Petr Skoda
Issue no.:         MDL-47964
Workaround:        Deny access to file auth/shibboleth/logout.php in webserver
                   configuration
CVE identifier:    CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964

==============================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.