Moodle upstream has released upstream versions 2.6.2, 2.5.5, and 2.4.9, which contain various security fixes: http://docs.moodle.org/dev/Moodle_2.6.2_release_notes http://docs.moodle.org/dev/Moodle_2.5.5_release_notes http://docs.moodle.org/dev/Moodle_2.4.9_release_notes The details of each reported issue are summarized below. These issues were posted to oss-sec (https://moodle.org/security/) and can also be found at https://moodle.org/security/. ======================================================================= MSA-14-0004: Incorrect filtering in Quiz Description: Question strings were not being filtered correctly possibly allowing cross site scripting. Issue summary: quiz_question_tostring can cause invalid HTML Severity/Risk: Minor Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Tim Hunt Issue no.: MDL-43690, MDL-43846 CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690 ======================================================================= MSA-14-0005: Access issue in Feedback activity Description: It was possible to start a Feedback activity while it was supposed to be closed. Issue summary: Feedback Availability dates not honored in complete.php Severity/Risk: Minor Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Tomasz Muras Issue no.: MDL-43656 CVE identifier: CVE-2014-0127 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43656 ======================================================================= MSA-14-0006: Capability issue in Chat Description: Capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately. Issue summary: Broken access control vulnerability with /mod/chat/chat_ajax.php Severity/Risk: Minor Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Jun Zhu Issue no.: MDL-44082 CVE identifier: CVE-2014-0122 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44082 ======================================================================= MSA-14-0007: Access issue in Wiki Description: There were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis. Issue summary: Students able to see others' Individual wiki through the Recent activity block Severity/Risk: Serious Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Monash University VLE team Issue no.: MDL-39990 CVE identifier: CVE-2014-0123 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39990 ======================================================================= MSA-14-0008: Cross site scripting potential in Flowplayer Description: Cross site scripting was possible with Flowplayer Issue summary: Upgrade flowplayer Severity/Risk: Minor Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Andrew Nicols, Simon Coggins Issue no.: MDL-43344 CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344 ======================================================================= MSA-14-0009: Identity information leak in Forum and Quiz Description: Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this. Issue summary: User email addresses shown when setting and capabilities do not allow it Severity/Risk: Minor Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Maria Torres Issue no.: MDL-43916 CVE identifier: CVE-2014-0124 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43916 ======================================================================= MSA-14-0010: Identity information leak in Alfresco Repository Description: Alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco. Issue summary: Alfresco Repository - external links make Alfresco vulnerable to impersonation attack Severity/Risk: Serious Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Ryan Herring Issue no.: MDL-29409 CVE identifier: CVE-2014-0125 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29409 ======================================================================= MSA-14-0011: Cross site request forgery potential in IMS enrolments Description: There was inadequate session checking when triggering the import of IMS Enterprise identities. Issue summary: Cross Site Request Forgery in enrol/imsenterprise/importnow.php Severity/Risk: Serious Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and earlier unsupported versions Versions fixed: 2.6.2, 2.5.5 and 2.4.9 Reported by: Tyler William Thomas Issue no.: MDL-43146 CVE identifier: CVE-2014-0126 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43146 ======================================================================= MSA-14-0012: Access issue in Badges Description: It was possible for authenticated users to toggle the visibility of other users' badges. Issue summary: logged user can change badge status (visible field) Severity/Risk: Minor Versions affected: 2.6 to 2.6.1 and 2.5 to 2.5.4 Versions fixed: 2.6.2 and 2.5.5 Reported by: Adrian Lorenc Issue no.: MDL-44140 CVE identifier: CVE-2014-0129 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44140 ======================================================================= MSA-14-0013: Unfiltered data used in Assignment web services Description: Assignment web service functions were not correctly cleaning function parameters allowing alteration of assignment grade related information. Issue summary: Review mod/assign external functions Severity/Risk: Minor Versions affected: 2.6 to 2.6.1 Versions fixed: 2.6.2 Reported by: Eloy Lafuente Issue no.: MDL-43468 CVE identifier: Pending Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1077823] Affects: epel-all [bug 1077824]
> ======================================================================= > MSA-14-0008: Cross site scripting potential in Flowplayer > > Description: Cross site scripting was possible with Flowplayer > Issue summary: Upgrade flowplayer > Severity/Risk: Minor > Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and > earlier unsupported versions > Versions fixed: 2.6.2, 2.5.5 and 2.4.9 > Reported by: Andrew Nicols, Simon Coggins > Issue no.: MDL-43344 > CVE identifier: Pending > Changes (master): > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43344 MITRE assigned CVE-2013-7341 to this issue.
> ======================================================================= > MSA-14-0004: Incorrect filtering in Quiz > > Description: Question strings were not being filtered correctly > possibly allowing cross site scripting. > Issue summary: quiz_question_tostring can cause invalid HTML > Severity/Risk: Minor > Versions affected: 2.6 to 2.6.1, 2.5 to 2.5.4, 2.4 to 2.4.8 and > earlier unsupported versions > Versions fixed: 2.6.2, 2.5.5 and 2.4.9 > Reported by: Tim Hunt > Issue no.: MDL-43690, MDL-43846 > CVE identifier: Pending > Changes (master): > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43690 MITRE assigned CVE-2014-2571 to this issue.
> ======================================================================= > MSA-14-0013: Unfiltered data used in Assignment web services > > Description: Assignment web service functions were not correctly > cleaning function parameters allowing alteration > of assignment grade related information. > Issue summary: Review mod/assign external functions > Severity/Risk: Minor > Versions affected: 2.6 to 2.6.1 > Versions fixed: 2.6.2 > Reported by: Eloy Lafuente > Issue no.: MDL-43468 > CVE identifier: Pending > Changes (master): > http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43468 MITRE assigned CVE-2014-2572 to this issue.