Updated moodle package fixes multiple security vulnerabilities
Publication date: 19 Sep 2013Modification date: 19 Sep 2013
Type: security
Affected Mageia releases : 3
CVE: CVE-2013-4313 , CVE-2013-4341
Description
Updated moodle package fixes security vulnerabilities: Null characters were allowed in query strings in Moodle before 2.4.6, which caused sql statements to terminate and fail, potentially allowing sql injection in Moodle's SQL Server driver (CVE-2013-4313). Links to external blogs were not being adequately cleaned in Moodle before 2.4.6, potentially allowing for XSS attacks (CVE-2013-4341).
References
- https://moodle.org/mod/forum/discuss.php?d=238396
- https://moodle.org/mod/forum/discuss.php?d=238399
- http://docs.moodle.org/dev/Moodle_2.4.6_release_notes
- https://moodle.org/mod/forum/discuss.php?d=237413
- https://bugs.mageia.org/show_bug.cgi?id=11212
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4313
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4341
SRPMS
3/core
- moodle-2.4.6-1.mga3