From ${URL} : Description Some vulnerabilities have been reported in Moodle where some have an unknown impact and another can be exploited by malicious users to conduct script insertion attacks. 1) Input passed via the "link" XML entity when processing external blogs is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed. This vulnerability is confirmed in versions 2.3.8, 2.4.5, and 2.5.1. Prior versions may also be affected. 2) Some unspecified errors exist. No further information is currently available. This vulnerability is reported in versions prior to 2.3.9, 2.4.6, and 2.5.2. Solution: Update to version 2.3.9, 2.4.6, or 2.5.2. Provided and/or discovered by: 1) Ciaran McNally 2) Reported by the vendor. Original Advisory: Moodle: http://docs.moodle.org/dev/Moodle_2.5.2_release_notes http://docs.moodle.org/dev/Moodle_2.4.6_release_notes http://docs.moodle.org/dev/Moodle_2.3.9_release_notes Ciaran McNally: http://makthepla.net/blog/=/moodle-2-account-takeover @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
The newer versions are on the tree and the older vulnerable versions have been removed.
Excellent, thank you. Closing noglsa.
CVE-2013-5674 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5674): badges/external.php in Moodle 2.5.x before 2.5.2 does not properly handle an object obtained by unserializing a description of an external badge, which allows remote attackers to conduct PHP object injection attacks via unspecified vectors, as demonstrated by overwriting the value of the userid parameter. CVE-2013-4341 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4341): Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 allow remote attackers to inject arbitrary web script or HTML via a crafted blog link within an RSS feed. CVE-2013-4313 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4313): Moodle through 2.2.11, 2.3.x before 2.3.9, 2.4.x before 2.4.6, and 2.5.x before 2.5.2 does not prevent use of '\0' characters in query strings, which might allow remote attackers to conduct SQL injection attacks against Microsoft SQL Server via a crafted string.
CVE-2013-3630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3630): Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor.
