Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 443102

Summary: <www-apps/moodle-{2.1.9,2.2.6,2.3.3}: Multiple Unspecified Vulnerabilities (CVE-2012-{5471,5472,5473,5479,5480,5481})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: blueness, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~? [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-14 14:40:09 UTC 
From https://secunia.com/advisories/51243/ :

Description
Multiple vulnerabilities with unknown impacts have been reported in Moodle.

The vulnerabilities are caused due to unspecified errors. No further information is currently 
available.

The vulnerabilities are reported in versions prior to 2.3.3, 2.2.6, and 2.1.9.


Solution
Update to version 2.3.3, 2.2.6, or 2.1.9.
Comment 1 Anthony Basile gentoo-dev 2012-11-15 01:28:08 UTC 
> Solution
> Update to version 2.3.3, 2.2.6, or 2.1.9.

These were added to the tree on Nov 10, 2012.  I just removed the vulnerable versions.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:16:06 UTC 
Thanks, Anthony.

Closing noglsa for ~arch only.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-11-21 22:27:44 UTC 
CVE-2012-5481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5481):
  Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the
  moodle/role:manage capability requirement and read all capability data by
  visiting the Check Permissions page.

CVE-2012-5480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5480):
  The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before
  2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended
  restrictions on reading other participants' entries via an advanced search.

CVE-2012-5479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5479):
  The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and
  2.3.x before 2.3.3 allows remote authenticated users to upload and execute
  files via a modified Portfolio API callback.

CVE-2012-5473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5473):
  The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before
  2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read
  activity entries of a different group's users via an advanced search.

CVE-2012-5472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5472):
  lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows
  remote authenticated users to bypass intended access restrictions via a
  modified value of a frozen form field.

CVE-2012-5471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5471):
  The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x
  before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to
  access the Dropbox of a different user by leveraging an unattended
  workstation after a logout.