Bug 501192

Summary:	<www-apps/moodle-{2.3.11,2.4.8,2.5.4,2.6.1}: Multiple vulnerabilities (CVE-2014-{0008,0009,0010})
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	blueness, web-apps
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2014-02-13 14:54:38 UTC

CVE-2014-0010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0010):
  Multiple cross-site request forgery (CSRF) vulnerabilities in
  user/profile/index.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x
  before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 allow remote
  attackers to hijack the authentication of administrators for requests that
  delete (1) categories or (2) fields.

CVE-2014-0009 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0009):
  course/loginas.php in Moodle through 2.2.11, 2.3.x before 2.3.11, 2.4.x
  before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 does not enforce
  the moodle/site:accessallgroups capability requirement for outside-group
  users in a SEPARATEGROUPS configuration, which allows remote authenticated
  users to perform "login as" actions via a direct request.

CVE-2014-0008 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0008):
  lib/adminlib.php in Moodle through 2.3.11, 2.4.x before 2.4.8, 2.5.x before
  2.5.4, and 2.6.x before 2.6.1 logs cleartext passwords, which allows remote
  authenticated administrators to obtain sensitive information by reading the
  Config Changes Report.


Needs affected versions cleaned up.

Comment 1 Anthony Basile gentoo-dev

2014-02-13 14:57:08 UTC

(In reply to GLSAMaker/CVETool Bot from comment #0)

> Needs affected versions cleaned up.

Done

Comment 2 Chris Reffett (RETIRED) gentoo-dev

2014-02-13 15:05:35 UTC

Thank you much, closing noglsa.