Bug 1077822 (CVE-2013-7341, CVE-2014-0122, CVE-2014-0123, CVE-2014-0124, CVE-2014-0125, CVE-2014-0126, CVE-2014-0127, CVE-2014-0129, CVE-2014-2571, CVE-2014-2572) - CVE-2014-0127 CVE-2014-0122 CVE-2014-0123 CVE-2014-0124 CVE-2014-0125 CVE-2014-0126 CVE-2014-0129 CVE-2013-7341 CVE-2014-2571 CVE-2014-2572 moodle: upstream 2.6.2, 2.5.5, and 2.4.9 fixes
Summary: CVE-2014-0127 CVE-2014-0122 CVE-2014-0123 CVE-2014-0124 CVE-2014-0125 CVE-201...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-7341, CVE-2014-0122, CVE-2014-0123, CVE-2014-0124, CVE-2014-0125, CVE-2014-0126, CVE-2014-0127, CVE-2014-0129, CVE-2014-2571, CVE-2014-2572
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1077823 1077824
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-18 16:11 UTC by Martin Prpič
Modified: 2019-09-29 13:14 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 15:37:17 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2014-03-18 16:11:23 UTC
Moodle upstream has released upstream versions 2.6.2, 2.5.5, and 2.4.9, which contain various security fixes:

http://docs.moodle.org/dev/Moodle_2.6.2_release_notes
http://docs.moodle.org/dev/Moodle_2.5.5_release_notes
http://docs.moodle.org/dev/Moodle_2.4.9_release_notes

The details of each reported issue are summarized below. These issues were posted to oss-sec (https://moodle.org/security/) and can also be found at https://moodle.org/security/.


=======================================================================
MSA-14-0004: Incorrect filtering in Quiz

Description:       Question strings were not being filtered correctly
                   possibly allowing cross site scripting.
Issue summary:     quiz_question_tostring can cause invalid HTML
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tim Hunt
Issue no.:         MDL-43690, MDL-43846
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690

=======================================================================
MSA-14-0005: Access issue in Feedback activity

Description:       It was possible to start a Feedback activity while
                   it was supposed to be closed.
Issue summary:     Feedback Availability dates not honored in
                   complete.php
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tomasz Muras
Issue no.:         MDL-43656
CVE identifier:    CVE-2014-0127
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656

=======================================================================
MSA-14-0006: Capability issue in Chat

Description:       Capabilities to chat were being checked at the start
                   of a chat, but not during, so changes were not
                   effective immediately.
Issue summary:     Broken access control vulnerability with
                   /mod/chat/chat_ajax.php
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Jun Zhu
Issue no.:         MDL-44082
CVE identifier:    CVE-2014-0122
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082

=======================================================================
MSA-14-0007: Access issue in Wiki

Description:       There were missing access checks on Wiki pages
                   allowing students to see pages of other students'
                   individual wikis.
Issue summary:     Students able to see others' Individual wiki through
                   the Recent activity block
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Monash University VLE team
Issue no.:         MDL-39990
CVE identifier:    CVE-2014-0123
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39990

=======================================================================
MSA-14-0008: Cross site scripting potential in Flowplayer

Description:       Cross site scripting was possible with Flowplayer
Issue summary:     Upgrade flowplayer
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Andrew Nicols, Simon Coggins
Issue no.:         MDL-43344
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344

=======================================================================
MSA-14-0009: Identity information leak in Forum and Quiz

Description:       Forum and Quiz were showing users' email addresses
                   when settings were supposed to be preventing this.
Issue summary:     User email addresses shown when setting and
                   capabilities do not allow it
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Maria Torres
Issue no.:         MDL-43916
CVE identifier:    CVE-2014-0124
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916

=======================================================================
MSA-14-0010: Identity information leak in Alfresco Repository

Description:       Alias links to items in an Alfresco repository were
                   provided with information that would allow someone
                   to impersonate the file owner in Alfresco.
Issue summary:     Alfresco Repository - external links make Alfresco
                   vulnerable to impersonation attack
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Ryan Herring
Issue no.:         MDL-29409
CVE identifier:    CVE-2014-0125
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409

=======================================================================
MSA-14-0011: Cross site request forgery potential in IMS enrolments

Description:       There was inadequate session checking when
                   triggering the import of IMS Enterprise identities.
Issue summary:     Cross Site Request Forgery in
                   enrol/imsenterprise/importnow.php
Severity/Risk:     Serious
Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
                   earlier unsupported versions
Versions fixed:    2.6.2, 2.5.5 and 2.4.9
Reported by:       Tyler William Thomas
Issue no.:         MDL-43146
CVE identifier:    CVE-2014-0126
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146

=======================================================================
MSA-14-0012: Access issue in Badges

Description:       It was possible for authenticated users to toggle
                   the visibility of other users' badges.
Issue summary:     logged user can change badge status (visible field)
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1 and 2.5 to 2.5.4
Versions fixed:    2.6.2 and 2.5.5
Reported by:       Adrian Lorenc
Issue no.:         MDL-44140
CVE identifier:    CVE-2014-0129
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140

=======================================================================
MSA-14-0013: Unfiltered data used in Assignment web services

Description:       Assignment web service functions were not correctly
                   cleaning function parameters allowing alteration
                   of assignment grade related information.
Issue summary:     Review mod/assign external functions
Severity/Risk:     Minor
Versions affected: 2.6 to 2.6.1
Versions fixed:    2.6.2
Reported by:       Eloy Lafuente
Issue no.:         MDL-43468
CVE identifier:    Pending
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468

Comment 1 Martin Prpič 2014-03-18 16:13:49 UTC
Created moodle tracking bugs for this issue:

Affects: fedora-all [bug 1077823]
Affects: epel-all [bug 1077824]

Comment 2 Murray McAllister 2014-03-24 03:11:48 UTC
> =======================================================================
> MSA-14-0008: Cross site scripting potential in Flowplayer
> 
> Description:       Cross site scripting was possible with Flowplayer
> Issue summary:     Upgrade flowplayer
> Severity/Risk:     Minor
> Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
>                    earlier unsupported versions
> Versions fixed:    2.6.2, 2.5.5 and 2.4.9
> Reported by:       Andrew Nicols, Simon Coggins
> Issue no.:         MDL-43344
> CVE identifier:    Pending
> Changes (master):
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344

MITRE assigned CVE-2013-7341 to this issue.

Comment 3 Murray McAllister 2014-03-24 03:23:23 UTC
> =======================================================================
> MSA-14-0004: Incorrect filtering in Quiz
> 
> Description:       Question strings were not being filtered correctly
>                    possibly allowing cross site scripting.
> Issue summary:     quiz_question_tostring can cause invalid HTML
> Severity/Risk:     Minor
> Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and
>                    earlier unsupported versions
> Versions fixed:    2.6.2, 2.5.5 and 2.4.9
> Reported by:       Tim Hunt
> Issue no.:         MDL-43690, MDL-43846
> CVE identifier:    Pending
> Changes (master):
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690

MITRE assigned CVE-2014-2571 to this issue.

Comment 4 Murray McAllister 2014-03-24 03:24:37 UTC
> =======================================================================
> MSA-14-0013: Unfiltered data used in Assignment web services
> 
> Description:       Assignment web service functions were not correctly
>                    cleaning function parameters allowing alteration
>                    of assignment grade related information.
> Issue summary:     Review mod/assign external functions
> Severity/Risk:     Minor
> Versions affected: 2.6 to 2.6.1
> Versions fixed:    2.6.2
> Reported by:       Eloy Lafuente
> Issue no.:         MDL-43468
> CVE identifier:    Pending
> Changes (master):
> http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468

MITRE assigned CVE-2014-2572 to this issue.


Note You need to log in before you can comment on or make changes to this bug.