The following issues have been identified in Moodle: ============================================================================== MSA-15-0026: Possible phishing when redirecting to external site using referer header Description: Another case when redirecting to external site was possible in error messages. See also MSA-15-0019 (CVE-2015-3175) Issue summary: PARAM_LOCALURL is vulnerable to open redirects Severity/Risk: Minor Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions Versions fixed: 2.9.1, 2.8.7 and 2.7.9 Reported by: Totara Issue no.: MDL-50688 CVE identifier: CVE-2015-3272 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50688 ============================================================================== MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum Description: Capability 'mod/forum:canposttomygroups' was not respected when using 'Post a copy to all groups' in forum. Capability to post to each individual group was always required. Issue summary: canposttomygroups capability is not checked in mod/forum/post.php Severity/Risk: Minor Versions affected: 2.9 Versions fixed: 2.9.1 Reported by: Juan Leyva Issue no.: MDL-50220 CVE identifier: CVE-2015-3273 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50220 ============================================================================== MSA-15-0028: Possible XSS through custom text profile fields in Web Services Description: Several web services returning user information did not clean text in text custom profile fields Issue summary: Custom profile fields (textarea) are not passed through external_format_text when returned by several web services Severity/Risk: Minor Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions Versions fixed: 2.9.1, 2.8.7 and 2.7.9 Reported by: Marina Glancy Issue no.: MDL-50130 CVE identifier: CVE-2015-3274 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130 ============================================================================== MSA-15-0029: Javascript injection in SCORM module Description: Penetration test discovered possible Javascript injection in SCORM module Issue summary: Inadequate JavaScript Handling in SCORM Severity/Risk: Minor Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions Versions fixed: 2.9.1, 2.8.7 and 2.7.9 Reported by: Martin Greenaway Issue no.: MDL-50614 CVE identifier: CVE-2015-3275 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614 Advisories are also available from: https://moodle.org/security/
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1242777] Affects: epel-6 [bug 1242778]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.