Bug 985651 (CVE-2013-2242, CVE-2013-2243, CVE-2013-2244, CVE-2013-2245, CVE-2013-2246, CVE-2013-4938, CVE-2013-4939, CVE-2013-4940, CVE-2013-4941, CVE-2013-4942)
Summary: | CVE-2013-2242 CVE-2013-2243 CVE-2013-2244 CVE-2013-2245 CVE-2013-2246 CVE-2013-4938 CVE-2013-4939 CVE-2013-4940 CVE-2013-4941 CVE-2013-4942 moodle: upstream 2.5.1, 2.4.5, 2.3.8, 2.2.11 security fixes | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | gwync |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | moodle 2.5.1, moodle 2.4.5, moodle 2.3.8, moodle 2.2.11 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-29 16:32:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 985652, 985654 | ||
Bug Blocks: |
Description
Vincent Danen
2013-07-18 03:11:19 UTC
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 985652] Affects: epel-all [bug 985654] For Fedora, the following releases were made to correct these flaws: moodle-2.2.11-1.fc17 moodle-2.3.8-2.fc18 moodle-2.4.5-2.fc19 For EPEL6, the following release was made to correct these flaws: moodle-2.3.8-1.el6 EPEL5 is still currently using the 1.9.x version that may be affected by these issues. In addition, the following CVEs were assigned to issues resolved in these versions of Moodle (related to MSA-13-0025 and MSA-13-0026): CVE-2013-4938: The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values. CVE-2013-4939: Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4940: Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a 3.9.1 regression. CVE-2013-4941: Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4942: Cross-site scripting (XSS) vulnerability in flashuploader.swf in the Uploader component in Yahoo! YUI 3.5.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. |