Advisories ยป MGASA-2014-0053

Updated moodle package fixes security vulnerabilities

Publication date: 11 Feb 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0008 , CVE-2014-0009 , CVE-2014-0010

Description

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.8, some password changes on admin pages were being
recorded and shown to administrators in the config log report
(CVE-2014-0008).

In Moodle before 2.4.8, users were able to log in as a user who in a is
not in the same group without the permission to see all groups
(CVE-2014-0009).

In Moodle 2.4.8, custom profile fields and categories were open to
deletion without proper session checking, due to two Cross-site Request
Forgery(CSRF) vulnerabilities in /user/profile/index.php (CVE-2014-0010).
                

References

SRPMS

4/core

3/core