oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Tue, 21 May 2013 08:28:30 +0800
The following security notifications are now public. Thanks to OSS members for their cooperation.
======================================================================= MSA-13-0020: Capability issue in Assignment Description: The assignment module was not checking capabilities for users downloading all assignments as a zip. Issue summary: Students can download assignments submitted by other students Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6 Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Phillip Franks Issue no.: MDL-38443 CVE Identifier: CVE-2013-2079Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
======================================================================= MSA-13-0021: Potential information leak in Gradebook Description: The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades. Issue summary: The method for figuring out showtotalsifcontainhidden on the overview report is flawed Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Andrew Davis Issue no.: MDL-37475 CVE Identifier: CVE-2013-2080 Workaround: Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden itemsChanges (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475
======================================================================= MSA-13-0022: Information leak in hub registration Description: When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen. Issue summary: Moodle send site information to a hub even though it's unchecked Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Jérôme Mouneyrac Issue no.: MDL-37822 CVE Identifier: CVE-2013-2081Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822
======================================================================= MSA-13-0023: Permission issue in blog comments Description: There was no check of permissions for viewing comments on blog posts. Issue summary: Blog comment validation should verify that the user can view a post. Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-37245 CVE Identifier: CVE-2013-2082Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245
======================================================================= MSA-13-0024: Form filtering issue Description: Form elements named using a specific naming scheme were not being filtered correctly Issue summary: Elements named foo[i] are not cleaned properly Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-38885 CVE Identifier: CVE-2013-2083Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885
Current thread:
- Moodle security notifications public Michael de Raadt (May 20)