From ${URL} : Description Two weaknesses and multiple vulnerabilities have been reported in Moodle, which can be exploited by malicious users to disclose potentially sensitive information, manipulate certain data, and conduct script insertion attacks and by malicious people to disclose potentially sensitive and system information. 1) The application does not properly restrict access to user profiles in user/view.php, which can be exploited to disclose certain profile information. Successful exploitation of this vulnerability requires the "autologinguests" and "opentogoogle" settings to be enabled (disabled by default). 2) The application displays the full installation path within exception messages. 3) Input passed via the file name when uploading files to File Picker is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. 4) An error related to Zend XmlRpc can be exploited to e.g. disclose contents of certain local files by sending specially crafted XML data including external entity references. This is related to vulnerability #1 in: SA49665 5) The application does not properly restrict access to certain repositories when using the "login-as" functionality, which can be exploited to disclose the content of personal repositories of the impersonated user. Successful exploitation of this vulnerability requires "admin" privileges. 6) The application does not properly restrict access to site-wide WebDav repositories, which can be exploited to e.g. view, edit, and delete an otherwise restricted site-wide WebDav repository. Successful exploitation of this vulnerability requires permissions to view WebDav repositories. The weaknesses and the vulnerabilities are reported in versions 2.4 through 2.4.1, 2.3 through 2.3.4, and 2.2 through 2.2.7. Solution Update to version 2.4.2, 2.4.3, 2.3.5, 2.3.6, 2.2.8, or 2.2.9. Further details available to Secunia VIM customers Provided and/or discovered by The vendor credits: 1) Helen Foster 2) Mark Nielsen 3, 4, and 6) Frédéric Massart 5) Andrew Nicols Original Advisory Moodle (MSA-13-0012, MSA-13-0013, MSA-13-0015, MSA-13-0016, MSA-13-0018, MSA-13-0019): https://moodle.org/mod/forum/discuss.php?d=225341 https://moodle.org/mod/forum/discuss.php?d=225342 https://moodle.org/mod/forum/discuss.php?d=225344 https://moodle.org/mod/forum/discuss.php?d=225345 https://moodle.org/mod/forum/discuss.php?d=225347 https://moodle.org/mod/forum/discuss.php?d=225348
Fixes have been in the tree since March 18. Closing noglsa for ~arch only.
CVE-2013-1836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1836): Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not properly manage privileges for WebDAV repositories, which allows remote authenticated users to read, modify, or delete arbitrary site-wide repositories by leveraging certain read access. CVE-2013-1835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1835): Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated administrators to obtain sensitive information from the external repositories of arbitrary users by leveraging the login_as feature. CVE-2013-1834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1834): notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. CVE-2013-1833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1833): Multiple cross-site scripting (XSS) vulnerabilities in the File Picker module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted filename. CVE-2013-1832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1832): repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV password in the configuration form, which allows remote authenticated administrators to obtain sensitive information by configuring an instance. CVE-2013-1831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1831): lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain sensitive information via an invalid request, which reveals the absolute path in an exception message. CVE-2013-1830 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1830): user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. CVE-2013-1829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1829): calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not consider capability requirements before displaying calendar subscriptions, which allows remote authenticated users to obtain potentially sensitive information by leveraging the student role. CVE-2012-3363 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3363): Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.