Moodle Multiple Vulns

2013.05.21
Credit: Michael de Raadt
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-2083 | CVE-2013-2082 | CVE-2013-2081 | CVE-2013-2080 | CVE-2013-2079
CWE: N/A

The following security notifications are now public. Thanks to OSS members for their cooperation. ======================================================================= MSA-13-0020: Capability issue in Assignment Description: The assignment module was not checking capabilities for users downloading all assignments as a zip. Issue summary: Students can download assignments submitted by other students Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6 Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Phillip Franks Issue no.: MDL-38443 CVE Identifier: CVE-2013-2079 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443 ======================================================================= MSA-13-0021: Potential information leak in Gradebook Description: The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades. Issue summary: The method for figuring out showtotalsifcontainhidden on the overview report is flawed Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions Versions fixed: 2.5, 2.4.4 and 2.3.7 Reported by: Andrew Davis Issue no.: MDL-37475 CVE Identifier: CVE-2013-2080 Workaround: Ensure all courses have the same value for hiding grades in the gradebook. This is set at Administration > Grades > Course grade settings > Hide totals if they contain hidden items Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475 ======================================================================= MSA-13-0022: Information leak in hub registration Description: When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen. Issue summary: Moodle send site information to a hub even though it's unchecked Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Jrme Mouneyrac Issue no.: MDL-37822 CVE Identifier: CVE-2013-2081 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822 ======================================================================= MSA-13-0023: Permission issue in blog comments Description: There was no check of permissions for viewing comments on blog posts. Issue summary: Blog comment validation should verify that the user can view a post. Severity/Risk: Serious Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-37245 CVE Identifier: CVE-2013-2082 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245 ======================================================================= MSA-13-0024: Form filtering issue Description: Form elements named using a specific naming scheme were not being filtered correctly Issue summary: Elements named foo[i] are not cleaned properly Severity/Risk: Minor Versions affected: 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions Versions fixed: 2.5, 2.4.4, 2.3.7 and 2.2.10 Reported by: Dan Poltawski Issue no.: MDL-38885 CVE Identifier: CVE-2013-2083 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885

References:

http://seclists.org/oss-sec/2013/q2/379
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top