Advisories » MGASA-2014-0160

Updated moodle packages fix multiple security vulnerabilities

Publication date: 03 Apr 2014
Modification date: 30 Apr 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-7341 , CVE-2014-0122 , CVE-2014-0123 , CVE-2014-0124 , CVE-2014-0125 , CVE-2014-0126 , CVE-2014-0127 , CVE-2014-2571

Description

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly
possibly allowing cross site scripting, as quiz_question_tostring can cause
invalid HTML (CVE-2014-2571).

Feedback Availability dates not honored in complete.php in Moodle before
2.4.9, therefore it was possible to start a Feedback activity while it was
supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with
/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the
start of a chat, but not during, so changes were not effective immediately
(CVE-2014-0122).

In Moodle before 2.4.9, there were missing access checks on Wiki pages
allowing students to see pages of other students' individual wikis, through
the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer
(CVE-2013-7341).

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses
when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were
provided with information that would allow someone to impersonate the file
owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in
enrol/imsenterprise/importnow.php, due to inadequate session checking when
triggering the import of IMS Enterprise identities (CVE-2014-0126).
                

References

• https://moodle.org/mod/forum/discuss.php?d=256416
• https://moodle.org/mod/forum/discuss.php?d=256417
• https://moodle.org/mod/forum/discuss.php?d=256418
• https://moodle.org/mod/forum/discuss.php?d=256419
• https://moodle.org/mod/forum/discuss.php?d=256420
• https://moodle.org/mod/forum/discuss.php?d=256421
• https://moodle.org/mod/forum/discuss.php?d=256422
• https://moodle.org/mod/forum/discuss.php?d=256423
• http://docs.moodle.org/dev/Moodle_2.4.9_release_notes
• https://moodle.org/mod/forum/discuss.php?d=255903
• https://bugs.mageia.org/show_bug.cgi?id=13005
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7341
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0122
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0123
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0124
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0125
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0126
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0127
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2571

SRPMS

4/core

• moodle-2.4.9-1.mga4

3/core

• moodle-2.4.9-1.mga3