oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Tue, 21 May 2013 08:28:30 +0800
The following security notifications are now public. Thanks to OSS members for their cooperation.
=======================================================================
MSA-13-0020: Capability issue in Assignment
Description: The assignment module was not checking capabilities
for users downloading all assignments as a zip.
Issue summary: Students can download assignments submitted by other
students
Severity/Risk: Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed: 2.5, 2.4.4 and 2.3.7
Reported by: Phillip Franks
Issue no.: MDL-38443
CVE Identifier: CVE-2013-2079
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443
=======================================================================
MSA-13-0021: Potential information leak in Gradebook
Description: The Gradebook's Overview report was showing grade
totals that may have incorrectly included hidden
grades.
Issue summary: The method for figuring out
showtotalsifcontainhidden on the overview report is
flawed
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4 and 2.3.7
Reported by: Andrew Davis
Issue no.: MDL-37475
CVE Identifier: CVE-2013-2080
Workaround: Ensure all courses have the same value for hiding
grades in the gradebook. This is set at
Administration > Grades > Course grade settings >
Hide totals if they contain hidden items
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475
=======================================================================
MSA-13-0022: Information leak in hub registration
Description: When registering a site on a hub (not Moodle.net)
site information was being sent to the hub
regardless of settings chosen.
Issue summary: Moodle send site information to a hub even though
it's unchecked
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Jérôme Mouneyrac
Issue no.: MDL-37822
CVE Identifier: CVE-2013-2081
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822
=======================================================================
MSA-13-0023: Permission issue in blog comments
Description: There was no check of permissions for viewing
comments on blog posts.
Issue summary: Blog comment validation should verify that the user
can view a post.
Severity/Risk: Serious
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Dan Poltawski
Issue no.: MDL-37245
CVE Identifier: CVE-2013-2082
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245
=======================================================================
MSA-13-0024: Form filtering issue
Description: Form elements named using a specific naming
scheme were not being filtered correctly
Issue summary: Elements named foo[i] are not cleaned properly
Severity/Risk: Minor
Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9,
earlier unsupported versions
Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by: Dan Poltawski
Issue no.: MDL-38885
CVE Identifier: CVE-2013-2083
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885
Current thread:
- Moodle security notifications public Michael de Raadt (May 20)