Multiple security issues were fixed in versions 2.7.11, 2.8.9 and 2.9.3 of moodle. ----- (MSA-15-0037) CVE-2015-5331 Possible to send a message to a user who blocked messages from non contacts: Insufficient settings check when messaging another user opens spam possibility. Users who are not in contact list still can send messages though it is blocked in preferences. Versions affected: 2.9 to 2.9.2 Versions fixed: 2.9.3 Reported by: Pavel Sokolov Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426 ----- (MSA-15-0038) CVE-2015-5332 DDoS possibility in Atto: If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area. Guests can exploit atto draft to store content. Versions affected: 2.9 to 2.9.2 and 2.8 to 2.8.8 Versions fixed: 2.9.3 and 2.8.9 Reported by: Frédéric Massart Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000 ----- (MSA-15-0039) CVE-2015-5335 CSRF in site registration form: Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub. It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Andrew Davis Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091 ------ (MSA-15-0040) CVE-2015-5336 Student XSS in survey: Standard survey module is vulnerable to XSS attack by students who fill the survey. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Hugh Davenport Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940 ----- (MSA-15-0041) CVE-2015-5337 XSS in flash video player: XSS vulnerability caused by Flowplayer flash video player has been addressed. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Andrew Nicols Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085 ----- (MSA-15-0042) CVE-2015-5338 CSRF in lesson login form: Password-protected lesson modules are subject to CSRF vulnerability. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Ankit Agarwal Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109 ----- (MSA-15-0043) CVE-2015-5339 Web service core_enrol_get_enrolled_users does not respect course group mode: Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Daniel Palou Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861 ----- (MSA-15-0044) CVE-2015-5340 Capability to view available badges is not respected: Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges. Capability moodle/badges:viewbadges is not respected. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Marina Glancy Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684 ----- (MSA-15-0045) CVE-2015-5341 SCORM module allows to bypass access restrictions based on date: Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Juan Leyva Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837 ----- (MSA-15-0046) CVE-2015-5342 Choice module closing date can be bypassed: Users can mock URL to delete or submit new responses after the choice module was closed. Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions Versions fixed: 2.9.3, 2.8.9 and 2.7.11 Reported by: Juan Leyva Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569 ----- External reference: https://moodle.org/mod/forum/discuss.php?d=322852
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1288159] Affects: epel-6 [bug 1288160]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.