Summary: | <www-apps/moodle-{1.9.14,2.0.5,2.1.2} Multiple Vulnerabilities (CVE-2011-{4298,4299,4300,4301,4302,4303,4304,4305,4306,4307,4308,4309} | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | blueness, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-10-19 15:06:18 UTC
Thanks for the reminder Ago. I always wait a bit before cleaning up the older versions, but you're right, its time. CVE-2011-4309 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4309): Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to bypass intended access restrictions and perform global searches by leveraging the guest role and making a direct request to a URL. CVE-2011-4308 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4308): mod/forum/user.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 allows remote authenticated users to discover the names of other users via unspecified vectors. CVE-2011-4307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4307): Cross-site scripting (XSS) vulnerability in mod/wiki/lang/en/wiki.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the section parameter. CVE-2011-4306 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4306): Cross-site scripting (XSS) vulnerability in course/editsection.html in Moodle 1.9.x before 1.9.14 allows remote authenticated users to inject arbitrary web script or HTML via crafted data. CVE-2011-4305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4305): message/refresh.php in Moodle 1.9.x before 1.9.14 allows remote authenticated users to cause a denial of service (infinite request loop) via a URL that specifies a zero wait time for message refreshing. CVE-2011-4304 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4304): The chat functionality in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to discover the name of any user via a beep operation. CVE-2011-4303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4303): lib/db/upgrade.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not set the correct registration_hubs.secret value during installation, which allows remote attackers to bypass intended access restrictions by leveraging the hubs feature. CVE-2011-4302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4302): mnet/xmlrpc/client.php in MNET in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not properly process the return value of the openssl_verify function, which allows remote attackers to bypass validation via a crafted certificate. CVE-2011-4301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4301): The MoodleQuickForm class in the Forms Library in lib/formslib.php in Moodle 1.9.x before 1.9.14, 2.0.x before 2.0.5, and 2.1.x before 2.1.2 does not recognize Forms API setConstant operations, which allows remote attackers to submit unexpected form content by modifying the values of constant fields. CVE-2011-4300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4300): The file_browser component in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 does not properly restrict access to category and course data, which allows remote attackers to obtain potentially sensitive information via a request for a file. CVE-2011-4299 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4299): Cross-site scripting (XSS) vulnerability in mod/wiki/pagelib.php in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via a wiki comment. CVE-2011-4298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4298): Multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki/ components in Moodle 2.0.x before 2.0.5 and 2.1.x before 2.1.2 allow remote attackers to hijack the authentication of arbitrary users for requests that modify wiki data. |