======================================================================= MSA-12-0024: Hidden information access issue Topic: Data protection issue / Information disclosure by "Settings" -> "Users" -> "Enrolled users" Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Andreas Grupp Issue no.: MDL-31923 CVE Identifier: CVE-2012-2353 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31923 Description: Teachers without appropriate permissions were able see user access information. ======================================================================= MSA-12-0025: Personal communication access issue Topic: "Recent conversations" allows anyone to see anyone else's messages Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Juan Aburto Issue no.: MDL-31834 CVE Identifier: CVE-2012-2354 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=48e03792ca8faa2d781f9ef74606f3b3f0d3baec Description: By manipulating URL parameters, users were able to see others' messages. ======================================================================= MSA-12-0026: Quiz capability issue Topic: When you add a question to the quiz, it does not check the question:use... capability. Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32240 CVE Identifier: CVE-2012-2355 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32240 Description: Capabilities were not being correctly checked when adding questions to a quiz. ======================================================================= MSA-12-0027: Question bank capability issues Topic: Various problems with permissions checks in the question bank Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Tim Hunt Issue no.: MDL-32239 CVE Identifier: CVE-2012-2356 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32239 Description: Capabilities were not being correctly checked when working in the question bank. Question authorship was not being checked. Users were shown UI elements when they did not have permission to use them. User permissions were not correctly checked when saving a question. ======================================================================= MSA-12-0028: Insecure authentication issue Topic: CAS Multi-Authentication Does Not Use HTTPS Login Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Chris Follin Workaround: Avoid CAS authentication Issue no.: MDL-32492 CVE Identifier: CVE-2012-2357 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=895e76ea51c462c18ad66e0761ad76cd26a63ecf Description: A page in the CAS Authentication process was using an insecure HTTP URL that, apart from being insecure, sent the user in circles. ======================================================================= MSA-12-0029: Information editing access issue Topic: Students can edit database entries in read only mode Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Amanda Doughty Issue no.: MDL-31811 CVE Identifier: CVE-2012-2358 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31811 Description: Students were able to edit pre-existing Database activity entries after the activity had entered a read-only period. ======================================================================= MSA-12-0030: Capability manipulation issue Topic: Non-editor teacher can exceed teacher permissions: example, backup:userinfo Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Jozas Nhial Issue no.: MDL-32030 CVE Identifier: CVE-2012-2359 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=0f75e1e6272db0303abc8e27362e5c3a1344b82f Description: Non-editing teachers were able to redefine their capabilities to achieve actions they would not normally be able to achieve. ======================================================================= MSA-12-0031: Cross-site scripting vulnerability in Wiki Topic: Injection and XSS vulnerability in wiki through insufficient validation Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, Reported by: Sam Hemelryk Issue no.: MDL-32018 CVE Identifier: CVE-2012-2360 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32018 Description: It was possible to inject unfiltered HTML into a wiki page title. ======================================================================= MSA-12-0032: Cross-site scripting vulnerability in Web services Topic: XSS in /admin/webservice/service.php Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Workaround: Avoid Web services Issue no.: MDL-31694 CVE Identifier: CVE-2012-2361 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31694 Description: The name parameter, sent to the Web service script service.php, was not being filtered correctly. ======================================================================= MSA-12-0033: Cross-site scripting vulnerability in Blog Topic: XSS bug in blog/index.php in IE Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31745 CVE Identifier: CVE-2012-2362 Changes (1.9): http://git.moodle.org/gw?p=moodle.git;a=commit;h=038131c8b5614f18c14d964dc53b6960ae6c30d8 Description: Parameters sent to the Blog module were not sufficiently filtered. This allowed the potential for cross-site scripting in IE ======================================================================= MSA-12-0034: Potential SQL injection issue Topic: Stored SQL Injection in calendar Severity/Risk: Serious Versions affected: 1.9 to 1.9.17+ Reported by: Simon Coggins Issue no.: MDL-31746 CVE Identifier: CVE-2012-2363 Changes (1.9): http://git.moodle.org/gw?p=moodle.git&a=search&h=refs%2Fheads%2FMOODLE_19_STABLE&st=commit&s=MDL-31746 Description: It was possible to include unfiltered information when adding a calendar event that was stored in the database. ======================================================================= MSA-12-0035: Cross-site scripting vulnerability in "download all" Topic: Content-Type is TEXT/HTML for zip Download instead of application/x-zip-compressed or forced download Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Asaf Ohaion Workaround: Avoid "download all" feature in Assignment Issue no.: MDL-31558 CVE Identifier: CVE-2012-2364 Changes (master): http://git.moodle.org/gw?p=moodle.git;a=commit;h=ce4126c7a9e07dd0514f7ac297b5e60cad0b8d20 Description: An incorrect mimetype was being reported for zipped assignment submissions, causing some browsers to render the response. The fix for this issue also prevents incorrect use of file sending functions by third-party modules. ======================================================================= MSA-12-0036: Cross-site scripting vulnerability in category identifier Topic: XSS in /cohort/edit.php (POST parameter: idnumber) Severity/Risk: Serious Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+ Reported by: Dan Poltawski Issue no.: MDL-31691 CVE Identifier: CVE-2012-2365 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31691 Description: The idnumber field, an arbitrary unique identifier for a category, was able to be entered without being filtered. ======================================================================= MSA-12-0037: Write access issue in Database activity module Topic: It's possible for any user to overwrite site wide database presets Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+ Reported by: Dan Poltawski Issue no.: MDL-31763 CVE Identifier: CVE-2012-2366 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-31763 Description: Users were able to overwrite site-wide Database activity presets created by other users. ======================================================================= MSA-12-0038: Calendar event write permission issue Topic: Calendar New Entry still shows and works for roles preventing calendar entry Severity/Risk: Minor Versions affected: 2.2 to 2.2.2+, 2.1 to 2.1.5+, 2.0 to 2.0.8+, 1.9 to 1.9.17+ Reported by: Martin Huntley Issue no.: MDL-18335 CVE Identifier: CVE-2012-2367 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-18335 Description: Users without appropriate permissions were able to access the new calendar entry page and create a calendar entry.
Spoke to blueness via IRC and versions below 2.2.3 will be removed from the tree tomorrow. Bug for tracking purposes only.
(In reply to comment #1) > Spoke to blueness via IRC and versions below 2.2.3 will be removed from the > tree tomorrow. Bug for tracking purposes only. Not exactly all versions below 2.2.3. The following are not vulnerable: 1.9.18, 2.0.9, 2.1.6, 2.2.3, ie the latest in each supported branch. Anyhow, the vulnerable ones will be off the tree in a minute. @security, I have never proceeded to stabilize any moodle ebuild, so no glsa needed, I believe.
(In reply to comment #2) > @security, I have never proceeded to stabilize any moodle ebuild, so no glsa > needed, I believe. exactly. Fixed
CVE-2012-2367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2367): Moodle 1.9.x before 1.9.18, 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/calendar:manageownentries capability requirement and add a calendar entry via a New Entry action. CVE-2012-2366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2366): mod/data/preset.php in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not properly iterate through an array, which allows remote authenticated users to overwrite arbitrary database activity presets via unspecified vectors. CVE-2012-2365 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2365): Cross-site scripting (XSS) vulnerability in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the idnumber field to cohort/edit.php. CVE-2012-2364 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2364): Cross-site scripting (XSS) vulnerability in lib/filelib.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via an assignment submission with zip compression, leading to text/html rendering during a "download all" action. CVE-2012-2363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2363): SQL injection vulnerability in calendar/event.php in the calendar implementation in Moodle 1.9.x before 1.9.18 allows remote authenticated users to execute arbitrary SQL commands via a crafted calendar event. CVE-2012-2362 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2362): Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog implementation in Moodle 1.9.x before 1.9.18, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted parameter to blog/index.php. CVE-2012-2361 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2361): Cross-site scripting (XSS) vulnerability in admin/webservice/forms.php in the web services implementation in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via the name field (aka the service name) to admin/webservice/service.php. CVE-2012-2360 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2360): Cross-site scripting (XSS) vulnerability in the Wiki subsystem in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted string that is inserted into a page title. CVE-2012-2359 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2359): admin/roles/override.php in Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to gain privileges by leveraging the teacher role and modifying their own capabilities, as demonstrated by obtaining the backup:userinfo capability. CVE-2012-2358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2358): Moodle 2.0.x before 2.0.9, 2.1.x before 2.1.6, and 2.2.x before 2.2.3 allows remote authenticated users to bypass an activity's read-only state and modify the database by leveraging the student role and editing database activity entries that already exist. CVE-2012-2357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2357): The Multi-Authentication feature in the Central Authentication Service (CAS) functionality in auth/cas/cas_form.html in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 does not use HTTPS, which allows remote attackers to obtain credentials by sniffing the network. CVE-2012-2356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2356): The question-bank functionality in Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass intended capability requirements and save questions via a save_question action. CVE-2012-2355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2355): Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass question:use* capability requirements and add arbitrary questions to a quiz via the questions feature. CVE-2012-2354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2354): Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to bypass the moodle/site:readallmessages capability requirement and read arbitrary messages by using the "Recent conversations" feature with a modified parameter in a URL. CVE-2012-2353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2353): Moodle 2.1.x before 2.1.6 and 2.2.x before 2.2.3 allows remote authenticated users to obtain sensitive user information from hidden fields by leveraging the teacher role and navigating to "Enrolled users" under the Users Settings section.
