Multiple vulnerabilities were fixed in moodle 3.0.4, 2.9.6, 2.8.12 and 2.7.14 releases. ============================================================================== MSA-16-0013: Users are able to change profile fields that were locked by the administrator Description: User editing form only disabled the profile fields in UI and did not actually prevent users from editing them Issue summary: Tricky users can change locked profile fields Severity/Risk: Minor Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14 Reported by: Vadim Dvorovenko Issue no.: MDL-53954 CVE identifier: CVE-2016-3729 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954 ============================================================================== MSA-16-0015: Information disclosure of hidden forum names and sub-names. Description: Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page Issue summary: Information disclosure of hidden forum names and sub-names. Severity/Risk: Minor Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11 Versions fixed: 3.0.4, 2.9.6 and 2.8.12 Reported by: Callum Issue no.: MDL-53696 CVE identifier: CVE-2016-3731 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696 ============================================================================== MSA-16-0016: User can view badges of other users without proper permissions Description: Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed Issue summary: Badges code checks viewotherbadges capability in the wrong context Severity/Risk: Minor Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions Versions fixed: 3.0.4, 2.9.6 and 2.8.12 Reported by: Tim Hunt Issue no.: MDL-53589 CVE identifier: CVE-2016-3732 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589 ============================================================================== MSA-16-0017: Course idnumber not protected from teacher restore Description: During the course restore teacher could overwrite idnumber even without having the capability to change it Issue summary: Course idnumber not protected from teacher restore Severity/Risk: Minor Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14 Reported by: Donna Hrynkiw Issue no.: MDL-51369 CVE identifier: CVE-2016-3733 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369 ============================================================================== MSA-16-0018: CSRF in script marking forum posts as read Description: CSRF possible in the URL that marks forum posts as read Issue summary: Forum markposts.php missing sesskey check Severity/Risk: Minor Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14 Reported by: Andrew Nicols Issue no.: MDL-53755 CVE identifier: CVE-2016-3734 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755 ==============================================================================
Acknowledgments: Name: the Moodle project
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1336729] Affects: epel-all [bug 1336730]
Public via: http://seclists.org/oss-sec/2016/q2/352
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.