Moodle upstream has released upstream 2.3.9, 2.4.6, and 2.5.2 versions: http://docs.moodle.org/dev/Moodle_2.3.9_release_notes http://docs.moodle.org/dev/Moodle_2.4.6_release_notes http://docs.moodle.org/dev/Moodle_2.5.2_release_notes These releases contain unspecified security fixes, the nature of which will be public next week; as per the upstream announcements: "A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version."
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1006678] Affects: epel-all [bug 1006679]
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4313 to the following vulnerability: Name: CVE-2013-4313 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4313 Assigned: 20130612 Reference: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40676 Reference: https://moodle.org/mod/forum/discuss.php?d=238396 Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4341 to the following vulnerability: Name: CVE-2013-4341 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4341 Assigned: 20130612 Reference: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-41623 Reference: https://moodle.org/mod/forum/discuss.php?d=238399 Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-5674 to the following vulnerability: Name: CVE-2013-5674 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5674 Assigned: 20130902 Reference: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-40924 Reference: https://moodle.org/mod/forum/discuss.php?d=238397 badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter.