Advisories ยป MGASA-2014-0053

Updated moodle package fixes security vulnerabilities

Publication date: 11 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0008 , CVE-2014-0009 , CVE-2014-0010


Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.8, some password changes on admin pages were being
recorded and shown to administrators in the config log report

In Moodle before 2.4.8, users were able to log in as a user who in a is
not in the same group without the permission to see all groups

In Moodle 2.4.8, custom profile fields and categories were open to
deletion without proper session checking, due to two Cross-site Request
Forgery(CSRF) vulnerabilities in /user/profile/index.php (CVE-2014-0010).