Advisories ยป MGASA-2014-0230

Updated moodle packages fix multiple vulnerabilities

Publication date: 19 May 2014
Modification date: 19 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0213 , CVE-2014-0214 , CVE-2014-0215 , CVE-2014-0216 , CVE-2014-0218

Description

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.6.3, Session checking was not being performed correctly
in Assignment's quick-grading, allowing forged requests to be made
unknowingly by authenticated users (CVE-2014-0213).

In Moodle before 2.6.3, MoodleMobile web service tokens, created
automatically in login/token.php, were not expiring and were valid forever
(CVE-2014-0214).

In Moodle before 2.6.3, Some student details, including identities, were
included in assignment marking pages and would have been revealed to
screen readers or through code inspection (CVE-2014-0215).

In Moodle before 2.6.3, Access to files linked on HTML blocks on the My
home page was not being checked in the correct context, allowing access to
unauthenticated users (CVE-2014-0216).

In Moodle before 2.6.3, There was a lack of filtering in the URL
downloader repository that could have been exploited for XSS
(CVE-2014-0218).

The 2.4 branch of Moodle will no longer be supported as of approximately
June 2014, so the Moodle package has been upgraded to version 2.6.3 to fix
these issues.
                

References

SRPMS

3/core

4/core