From ${URL} : Moodle upstream has released versions 2.5.1, 2.4.5, 2.3.8, and 2.2.11 to fix the following security flaws: MSA-13-0025: XSS vulnerability in YUI library MSA-13-0026: Personal information leak in IMS-LTI CVE-2013-2242 MSA-13-0027: Access issue in Chat module CVE-2013-2243 MSA-13-0028: Answer information revealed in Lesson activity CVE-2013-2244 MSA-13-0029: XSS risk in conditional activities CVE-2013-2245 MSA-13-0030: Information leak through RSS CVE-2013-2246 MSA-13-0031: Personal information leak in Feedback activity Upstream release announcements (which include links to the advisories which also link to patches): http://docs.moodle.org/dev/Moodle_2.5.1_release_notes http://docs.moodle.org/dev/Moodle_2.4.5_release_notes http://docs.moodle.org/dev/Moodle_2.3.8_release_notes http://docs.moodle.org/dev/Moodle_2.2.11_release_notes @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Fixed versions are already in the tree, ~ so no need for stable/GLSA, just need to clean up and we'll be done here.
The vulnerable versions are off the tree.
Guess we're done here, then.
CVE-2013-2246 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2246): mod/feedback/lib.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/feedback:view capability before displaying recent feedback, which allows remote authenticated users to obtain sensitive information via a request for all course feedback that has occurred since a specified time. CVE-2013-2245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2245): rss/file.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly implement the use of RSS tokens for impersonation, which allows remote authenticated users to obtain sensitive block information by reading an RSS feed. CVE-2013-2244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2244): Multiple cross-site scripting (XSS) vulnerabilities in lib/conditionlib.php in Moodle 2.4.x before 2.4.5 and 2.5.x before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the conditional access rule value of a user field. CVE-2013-2243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2243): mod/lesson/pagetypes/matching.php in Moodle through 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 allows remote authenticated users to obtain sensitive answer information by reading the HTML source code of a document. CVE-2013-2242 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2242): mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server.
CVE-2013-4941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4941): Cross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 3.2.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4940 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4940): Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.10.2, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. NOTE: this vulnerability exists because of a CVE-2013-4939 regression. CVE-2013-4939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4939): Cross-site scripting (XSS) vulnerability in io.swf in the IO Utility component in Yahoo! YUI 3.0.0 through 3.9.1, as used in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1, and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted string in a URL. CVE-2013-4938 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4938): The LTI (aka IMS-LTI) mod_form implementation in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not properly support the sendname, sendemailaddr, and acceptgrades settings, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an environment in which there was an ineffective attempt to enable the more secure values.