The following issues have been identified in Moodle: ============================================================================== MSA-15-0010: Personal contacts and number of unread messages can be revealed Description: By modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses. Issue summary: Personal contacts and number of unread messages can be revealed Severity/Risk: Minor Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Barry Oosthuizen Issue no.: MDL-49204 Workaround: Disable messaging on site CVE identifier: CVE-2015-2266 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204 ============================================================================== MSA-15-0011: Authentication in mdeploy can be bypassed Description: Theoretically possible to extract files anywhere on the system where the web server has write access. Although it is quite difficult to exploit since attacking user must know details about the system and already have significant permissions on the site. Issue summary: Authentication in mdeploy can be bypassed Severity/Risk: Serious Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Frédéric Massart Issue no.: MDL-49087 Workaround: Delete the file mdeploy.php or prevent access to it in the web server config CVE identifier: CVE-2015-2267 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087 ============================================================================== MSA-15-0012: ReDoS Possible with Convert links to URLs filter Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable Issue summary: ReDoS Possible with Convert links to URLs filter Severity/Risk: Serious Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Rob Issue no.: MDL-38466 Workaround: Disable links to URLs filter CVE identifier: CVE-2015-2268 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38466 ============================================================================== MSA-15-0013: Block title not properly escaped and may cause HTML injection Description: It is possible to create HTML injection through blocks with configurable titles, however this could only be exploited by users who are already marked as XSS-trusted Issue summary: Block title not properly escaped and may cause HTML injection Severity/Risk: Minor Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Gjoko Krstic Issue no.: MDL-49144 CVE identifier: CVE-2015-2269 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144 ============================================================================== MSA-15-0014: Potential information disclosure for the inaccessible courses Description: For the custom themes that use blocks regions in the base layout the blocks for inaccessible courses could be displayed together with sensible course-related information. Majority of the themes, including all standard Moodle themes, are not affected. Issue summary: Guest user can see course information they should not be able to via require_login Severity/Risk: Minor Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Sam Hemelryk Issue no.: MDL-48804 CVE identifier: CVE-2015-2270 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804 ============================================================================== MSA-15-0015: User without proper permission is able to mark the tag as inappropriate Description: Very minor case of not respecting capability, it does not affect majority of sites since this capability is given to authenticated users by default Issue summary: Capability moodle/tag:flag not observed Severity/Risk: Minor Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Frédéric Massart Issue no.: MDL-49084 CVE identifier: CVE-2015-2271 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084 ============================================================================== MSA-15-0016: Web services token can be created for user with temporary password Description: Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services. Issue summary: login/token.php does not check if auth_forcepasswordchange is on for the user Severity/Risk: Serious Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Juan Leyva Issue no.: MDL-48691 CVE identifier: CVE-2015-2272 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691 ============================================================================== MSA-15-0017: XSS in quiz statistics report Description: Quiz statistics report did not properly escape student responses and could be used for XSS attack Issue summary: XSS in quiz statistics report Severity/Risk: Minor Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions Versions fixed: 2.8.4, 2.7.6 and 2.6.9 Reported by: Tim Hunt Issue no.: MDL-49364 CVE identifier: CVE-2015-2273 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364 ==============================================================================
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1203203] Affects: epel-6 [bug 1203205]