Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 443102 - <www-apps/moodle-{2.1.9,2.2.6,2.3.3}: Multiple Unspecified Vulnerabilities (CVE-2012-{5471,5472,5473,5479,5480,5481})
Summary: <www-apps/moodle-{2.1.9,2.2.6,2.3.3}: Multiple Unspecified Vulnerabilities (C...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~? [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-14 14:40 UTC by Agostino Sarubbo
Modified: 2012-11-21 22:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-14 14:40:09 UTC 
From https://secunia.com/advisories/51243/ :

Description
Multiple vulnerabilities with unknown impacts have been reported in Moodle.

The vulnerabilities are caused due to unspecified errors. No further information is currently 
available.

The vulnerabilities are reported in versions prior to 2.3.3, 2.2.6, and 2.1.9.


Solution
Update to version 2.3.3, 2.2.6, or 2.1.9.
Comment 1 Anthony Basile gentoo-dev 2012-11-15 01:28:08 UTC 
> Solution
> Update to version 2.3.3, 2.2.6, or 2.1.9.

These were added to the tree on Nov 10, 2012.  I just removed the vulnerable versions.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:16:06 UTC 
Thanks, Anthony.

Closing noglsa for ~arch only.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-11-21 22:27:44 UTC 
CVE-2012-5481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5481):
  Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the
  moodle/role:manage capability requirement and read all capability data by
  visiting the Check Permissions page.

CVE-2012-5480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5480):
  The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before
  2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended
  restrictions on reading other participants' entries via an advanced search.

CVE-2012-5479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5479):
  The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and
  2.3.x before 2.3.3 allows remote authenticated users to upload and execute
  files via a modified Portfolio API callback.

CVE-2012-5473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5473):
  The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before
  2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read
  activity entries of a different group's users via an advanced search.

CVE-2012-5472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5472):
  lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows
  remote authenticated users to bypass intended access restrictions via a
  modified value of a frozen form field.

CVE-2012-5471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5471):
  The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x
  before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to
  access the Dropbox of a different user by leveraging an unattended
  workstation after a logout.