Advisories ยป MGASA-2014-0160

Updated moodle packages fix multiple security vulnerabilities

Publication date: 03 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-7341 , CVE-2014-0122 , CVE-2014-0123 , CVE-2014-0124 , CVE-2014-0125 , CVE-2014-0126 , CVE-2014-0127 , CVE-2014-2571


Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly
possibly allowing cross site scripting, as quiz_question_tostring can cause
invalid HTML (CVE-2014-2571).

Feedback Availability dates not honored in complete.php in Moodle before
2.4.9, therefore it was possible to start a Feedback activity while it was
supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with
/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the
start of a chat, but not during, so changes were not effective immediately

In Moodle before 2.4.9, there were missing access checks on Wiki pages
allowing students to see pages of other students' individual wikis, through
the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses
when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were
provided with information that would allow someone to impersonate the file
owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in
enrol/imsenterprise/importnow.php, due to inadequate session checking when
triggering the import of IMS Enterprise identities (CVE-2014-0126).