oss-sec mailing list archives
Moodle security notifications public
From: Michael de Raadt <michaeld () moodle com>
Date: Mon, 21 Jul 2014 10:14:50 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following security notifications are now public after release. Thanks to OSS members for their continued cooperation. ======================================================================= MSA-14-0020: Identity confusion in Shibboleth authentication Description: Shibboleth was allowing empty session IDs and confusing sessions when more than one instance was associated with an empty ID. Issue summary: User taking over other user's session using Shibboleth authentication plugin Severity/Risk: Serious Versions affected: 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.5.7 and 2.4.11 Reported by: Colin Campbell Issue no.: MDL-45485 CVE identifier: CVE-2014-3552 Changes (2.5): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_25_STABLE&st=commit&s=MDL-45485 ======================================================================= MSA-14-0021: Code injection in Repositories Description: Serialised data passed by repositories could potentially contain objects defined by add-ons that could include executable code. Issue summary: Potential PHP Object Injection in Repositories Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Robin Bailey Issue no.: MDL-45616 CVE identifier: CVE-2014-3541 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616 ======================================================================= MSA-14-0022: XML External Entity vulnerability in LTI module Description: It was possible for manipulated XML files passed from LTI servers to be interpreted by Moodle to allow access to server-side files. Issue summary: XXE attack through LTI Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: pnig0s@freebuf Issue no.: MDL-45463 CVE identifier: CVE-2014-3542 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45463 ======================================================================= MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP Description: It was possible for manipulated XML files to be uploaded to the IMSCC course format or the IMSCP resource to allow access to server-side files. Issue summary: XXE Vulnerabilities in IMS CC and resource Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: pnig0s@freebuf Issue no.: MDL-45417 CVE identifier: CVE-2014-3543 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45417 ======================================================================= MSA-14-0024: Cross-site scripting vulnerability in profile field Description: Filtering of the Skype profile field was not removing potentially harmful code. Issue summary: Persistent XSS Found Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Osanda Malith Jayathissa Issue no.: MDL-45683 CVE identifier: CVE-2014-3544 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683 ======================================================================= MSA-14-0025: Remote code execution in Quiz Description: It was possible to inject code into Calculated questions that would be executed on the server. Issue summary: Remote code execution in quiz calculated question Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Frédéric Massart Issue no.: MDL-46148 Workaround: Disable calculated question types. CVE identifier: CVE-2014-3545 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148 ======================================================================= MSA-14-0026: Information leak in profile and notes pages Description: It was possible to get limited user information, such as user name and courses, by manipulating the URL of profile and notes pages. Issue summary: /user/edit.php reveals account name Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Patrick Webster Issue no.: MDL-45760 CVE identifier: CVE-2014-3546 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760 ======================================================================= MSA-14-0027: Forum group posting issue Description: Forum was allowing users who were members of more than one group to post to all groups without the capability to access all groups. Issue summary: Forum post to all participants in separate group Severity/Risk: Minor Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Jakob Ackermann Issue no.: MDL-38990 CVE identifier: CVE-2014-3553 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990 ======================================================================= MSA-14-0028: Cross-site scripting possible in external badges Description: The details of badges from external sources were not being filtered. Issue summary: XSS vulnerabilities with external badges Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6 Versions fixed: 2.7.1, 2.6.4 and 2.5.7 Reported by: Frédéric Massart Issue no.: MDL-46042 CVE identifier: CVE-2014-3547 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042 ======================================================================= MSA-14-0029: Cross-site scripting vulnerability in exception dialogues Description: Content of exception dialogues presented from AJAX calls was not being escaped before being presented to users. Issue summary: Exception dialogs do not escape the content Severity/Risk: Minor Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Frédéric Massart Issue no.: MDL-45471 CVE identifier: CVE-2014-354 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471 ======================================================================= MSA-14-0030: Cross-site scripting through logs of failed logins Description: Log entries of failed login attempts were not filtered correctly. Issue summary: XSS in 'failed login' logs Severity/Risk: Serious Versions affected: 2.7 Versions fixed: 2.7.1 Reported by: Skylar Kelty Issue no.: MDL-46201 CVE identifier: CVE-2014-3549 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201 ======================================================================= MSA-14-0031: Cross-site scripting though scheduled task error messages Description: Error messages generated by scheduled tasks were being presented to admins without correct filtering. Issue summary: XSS in scheduled tasks success/error message Severity/Risk: Serious Versions affected: 2.7 Versions fixed: 2.7.1 Reported by: Skylar Kelty Issue no.: MDL-46227 CVE identifier: CVE-2014-3550 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227 ======================================================================= MSA-14-0032: Cross-site scripting in advanced grading methods Description: Fields in rubrics were not being correctly filtered. Issue summary: XSS on the (qualification, rating) field by rubric/ advanced grading Severity/Risk: Serious Versions affected: 2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions Versions fixed: 2.7.1, 2.6.4, 2.5.7 and 2.4.11 Reported by: Javier E. García Prada Issue no.: MDL-46223 CVE identifier: CVE-2014-3551 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223 ======================================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTzHeQAAoJECGmGwK/mszP0jQIANMQ1Z/RbsA/Z9emfLkWge8D N82mjWT1ct99Glbv4VM8VMdqL0fviBCLom7UaQze2m7q5smM7gQ6mYsJ0yy2EZJ1 yl5ng6hnfQBnbT0/OpOlCrLX1NHjEeQGf9wHWPSEv72Y8PojwBYKL1P6A9y8nC8F YMA2o+SQiRCHOEXZ9bfhz0iP437vzj+vETaFPzav5+Ge49hbY/i71b2IJES8XpLz A2MZAdj4eQv+FhQ1Q7cuLWD/za4WyUGRUvxQI6quxxgfFipYB6kJQjSiulXkWvZB 7Q2KrFkM5dBNWeQQen/USzeUAFLvjpab0zZ0Q01QsEeR7Y6nTPaAlL2ganp/8l8= =f34o -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Moodle security notifications public Michael de Raadt (Jul 20)
- <Possible follow-ups>
- Moodle security notifications public Michael de Raadt (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Re: Moodle security notifications public cve-assign (Jul 21)
- Re: Moodle security notifications public cve-assign (Jul 20)
- Moodle security notifications public Michael de Raadt (Sep 14)