From ${URL} : Description Multiple security issues and some vulnerabilities have been reported in Moodle, where some have an unknown impact and others can be exploited by malicious users to bypass certain security restrictions and by malicious people to disclose potentially sensitive information. 1) The application does not properly verify access permissions when downloading a ZIP file with assignments submitted by students. This can be exploited to download otherwise inaccessible assignments. This security issue is reported in versions 2.4 through 2.4.3 and 2.3 through 2.3.6. 2) An error in the application when registering a site on a hub can be exploited to disclose submitted site information. 3) The application does not properly verify access permissions when viewing comments on blog posts. This can be exploited to e.g. disclose otherwise inaccessible comments contents. 4) Certain unspecified input passed via array parameters is not properly sanitised before being used. No further information is currently available. The vulnerabilities #2 through #4 are reported in versions 2.4 through 2.4.3, 2.3 through 2.3.6, and 2.2 through 2.2.9. Solution Update to version 2.4.4, 2.3.7, or 2.2.10. Provided and/or discovered by The vendor credits: 1) Phillip Franks. 2) Jerome Mouneyrac. 3, 4) Dan Poltawski. Original Advisory Moodle (MSA-13-0020, MSA-13-0022, MSA-13-0023, MSA-13-0024): https://moodle.org/mod/forum/discuss.php?d=228930 https://moodle.org/mod/forum/discuss.php?d=228933 https://moodle.org/mod/forum/discuss.php?d=228934 https://moodle.org/mod/forum/discuss.php?d=228935 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Relevant versions are in tree, waiting for cleanup of vulnerable versions.
CVE-2013-2083 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2083): The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. CVE-2013-2082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2082): Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. CVE-2013-2081 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2081): Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. CVE-2013-2080 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2080): The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report. CVE-2013-2079 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2079): mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role.
All things seems to be done, closing