A cross-site scripting (XSS) flaw was found in the way File picker (enables files to be selected and displayed in Moodle) of Moodle, a course management system, performed file content sanitization prior depiction. A remote attacker could provide a specially-crafted file that, when opened in Moodle's File picker add-on would lead to arbitrary HTML or web script execution (in the context of the Moodle user's session). References: [1] http://www.openwall.com/lists/oss-security/2013/03/25/2 Relevant upstream patch: [2] http://git.moodle.org/gw?p=moodle.git;a=commit;h=954b35451112c333c0ae77dff25dafbf41587c26
This issue affects the version of the moodle package, as shipped with Fedora release of 18. Please schedule an update. -- This issue (probably [*]) affects the versions of the moodle package, as shipped with Fedora release of 17 and Fedora EPEL-6. [*] Probably because by comparing particular upstream patch with underlying source code provided patch doesn't seem to be (directly) applicable. But those versions are listed as affected in advisory [1] too. -- This issue did NOT affect the version of the moodle package, as shipped with Fedora EPEL-5.
Created moodle tracking bugs for this issue Affects: fedora-18 [bug 927264]
Created moodle tracking bugs for this issue Affects: fedora-17 [bug 927267]
Created moodle tracking bugs for this issue Affects: epel-6 [bug 927273]