Summary: | <www-apps/moodle-{2.1.9,2.2.6,2.3.3}: Multiple Unspecified Vulnerabilities (CVE-2012-{5471,5472,5473,5479,5480,5481}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~? [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2012-11-14 14:40:09 UTC
> Solution
> Update to version 2.3.3, 2.2.6, or 2.1.9.
These were added to the tree on Nov 10, 2012. I just removed the vulnerable versions.
Thanks, Anthony. Closing noglsa for ~arch only. CVE-2012-5481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5481): Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page. CVE-2012-5480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5480): The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search. CVE-2012-5479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5479): The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback. CVE-2012-5473 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5473): The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search. CVE-2012-5472 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5472): lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field. CVE-2012-5471 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5471): The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout. |