Multiple vulnerabilies have been discovered in Moodle. From the upstream list at $URL: MSA-13-0001 CVE-2012-6112 Security issue in Google Spellchecker in TinyMCE MSA-13-0002 CVE-2012-6098 Capability issue with Outcome editing MSA-13-0003 CVE-2012-6099 Potential server file access through backup restoration MSA-13-0004 CVE-2012-6100 Information leak through activity report MSA-13-0005 CVE-2012-6101 Potential phishing attack through URL redirects MSA-13-0006 CVE-2012-6102 Potential information leak in Assignment module MSA-13-0007 CVE-2012-6103 Potential exploit in messaging MSA-13-0008 CVE-2012-6104 Information leak through Blog RSS MSA-13-0009 CVE-2012-6105 Information leak through Blog RSS MSA-13-0010 CVE-2012-6106 Failure to check capabilities in calendar
Maintainers, please drop vulnerable versions.
(In reply to comment #1) > Maintainers, please drop vulnerable versions. Done.
(In reply to comment #2) > (In reply to comment #1) > > Maintainers, please drop vulnerable versions. > > Done. Thanks, Anthony! Closing noglsa for ~arch only.
CVE-2012-6112 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6112): classes/GoogleSpell.php in the PHP Spellchecker (aka Google Spellchecker) addon before 2.0.6.1 for TinyMCE, as used in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 and other products, does not properly handle control characters, which allows remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. CVE-2012-6106 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6106): calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object. CVE-2012-6105 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6105): blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. CVE-2012-6104 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6104): blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed. CVE-2012-6103 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6103): Multiple cross-site request forgery (CSRF) vulnerabilities in user/messageselect.php in the messaging system in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to hijack the authentication of arbitrary users for requests that send course messages. CVE-2012-6102 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6102): lib.php in the Submission comments plugin in the Assignment module in Moodle 2.3.x before 2.3.4 and 2.4.x before 2.4.1 allows remote attackers to read or modify the submission comments (aka feedback comments) of arbitrary users via a crafted URI. CVE-2012-6101 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6101): Multiple open redirect vulnerabilities in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to (1) backup/backupfilesedit.php, (2) comment/comment_post.php, (3) course/switchrole.php, (4) mod/wiki/filesedit.php, (5) tag/coursetags_add.php, or (6) user/files.php. CVE-2012-6100 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6100): report/outline/index.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/user:viewhiddendetails capability requirement, which allows remote authenticated users to discover a hidden lastaccess value by reading an activity report. CVE-2012-6099 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6099): The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. CVE-2012-6098 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6098): grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature.