'[oss-security] Moodle security notifications public'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Moodle security notifications public
From:       Michael de Raadt <michaeld () moodle ! com>
Date:       2012-11-19 1:59:15
Message-ID: 50A99273.8080301 () moodle ! com
[Download RAW message or body]

The following security notifications have now been made public. Thanks 
to OSS members for their cooperation.

=======================================================================
MSA-12-0057: Access issue through repository

Topic:             User B is able to see and use Dropbox of User A
                    within Dropbox Repository File Picker
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Alexander Bias
Issue no.:         MDL-29872, MDL-36366
CVE Identifier:    CVE-2012-5471
Workaround:        Turn off Dropbox repository
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29872
Description:
Users who logged out of Dropbox through the Moodle repository were
disconnected in Moodle, but the user's access to Dropbox was still
allowed while their browser session continued.

=======================================================================
MSA-12-0058: Possible form data manipulation issue

Topic:             add setConstant() for hardfreeze element
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+
Reported by:       Rossiani Wijaya
Issue no.:         MDL-32785
CVE Identifier:    CVE-2012-5472
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785
Description:
Frozen form elements were open to manipulation when form data was
submitted.

=======================================================================
MSA-12-0059: Information leak in Database activity module

Topic:             Members of seperate groups can see Database activity
                    entries for other groups
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Richard Meyer
Issue no.:         MDL-34448
CVE Identifier:    CVE-2012-5473
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34448
Description:
Within the Database activity module, when separate groups were used,
members of one group were able to see entries created by members of
another group by completing an advanced search.

=======================================================================
MSA-12-0060: Cross-site scripting vulnerability in YUI2

Topic:             yui2 swf vulnerability
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
                    1.9 to 1.9.18+
Reported by:       Petr Škoda, Jenny Donnelly
Issue no.:         MDL-36346
CVE Identifier:    CVE-2012-5475
Workaround:        Delete YUI SWF files
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
A XSS vulnerability has been discovered in some YUI 2 .swf files from
versions 2.4.0 through 2.9.0. This defect allows JavaScript injection
exploits to be created against domains that host affected YUI .swf
files.

=======================================================================
MSA-12-0061: Remote code execution through Portfolio API

Topic:             Portfolio plugin: Local File Inclusion (LFI) and the
                    possibility of Remote Command Execution (RCE).
Severity/Risk:     Serious
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Cristobal Leiva
Issue no.:         MDL-33791
CVE Identifier:    CVE-2012-5479
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36346
Description:
It was possible, when Moodle data is stored within the Web accessible
directory, to manipulate the Portfolio API callbacks to execute a file
uploaded by a user.

=======================================================================
MSA-12-0062: Information leak in Database activity module

Topic:             Any user (including a guest) can view entries in
                    database activity when more entries are required
                    before viewing other participants entries
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+
Reported by:       Tabitha Roder
Issue no.:         MDL-35558
CVE Identifier:    CVE-2012-5480
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35558
Description:
The setting requiring that a number of entries be posted to a Database
activity before others' entries could be viewed could be circumvented
using an advanced search.

=======================================================================
MSA-12-0063: Information leak in Check Permissions page

Topic:             Check Permissions page displays entire user base
                    without moodle/role:manage capability
Severity/Risk:     Minor
Versions affected: 2.3 to 2.3.2+
Reported by:       Jody Steele
Issue no.:         MDL-35381
CVE Identifier:    CVE-2012-5481
Changes (master): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381
Description:
The Check Permissions page was allowing non-admin users to see the
capabilities of all users, not just users in a course/category.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic