{ "schema_version": "1.7.0", "id": "MGASA-2014-0160", "published": "2014-04-03T17:23:49Z", "modified": "2014-04-30T17:21:30Z", "summary": "Updated moodle packages fix multiple security vulnerabilities", "details": "Updated moodle package fixes security vulnerabilities:\n\nIn Moodle before 2.4.9, question strings were not being filtered correctly\npossibly allowing cross site scripting, as quiz_question_tostring can cause\ninvalid HTML (CVE-2014-2571).\n\nFeedback Availability dates not honored in complete.php in Moodle before\n2.4.9, therefore it was possible to start a Feedback activity while it was\nsupposed to be closed (CVE-2014-0127).\n\nBroken access control vulnerability in Moodle before 2.4.9 with\n/mod/chat/chat_ajax.php, where capabilities to chat were being checked at the\nstart of a chat, but not during, so changes were not effective immediately\n(CVE-2014-0122).\n\nIn Moodle before 2.4.9, there were missing access checks on Wiki pages\nallowing students to see pages of other students' individual wikis, through\nthe Recent activity block (CVE-2014-0123).\n\nIn Moodle before 2.4.9, cross site scripting was possible with Flowplayer\n(CVE-2013-7341).\n\nIn Moodle before 2.4.9, Forum and Quiz were showing users' email addresses\nwhen settings were supposed to be preventing this (CVE-2014-0124).\n\nIn Moodle before 2.4.9, alias links to items in an Alfresco repository were\nprovided with information that would allow someone to impersonate the file\nowner in Alfresco (CVE-2014-0125).\n\nCross Site Request Forgery in Moodle before 2.4.9 in\nenrol/imsenterprise/importnow.php, due to inadequate session checking when\ntriggering the import of IMS Enterprise identities (CVE-2014-0126).\n", "upstream": [ "CVE-2013-7341", "CVE-2014-0122", "CVE-2014-0123", "CVE-2014-0124", "CVE-2014-0125", "CVE-2014-0126", "CVE-2014-0127", "CVE-2014-2571" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2014-0160.html" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256416" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256417" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256418" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256419" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256420" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256421" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256422" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=256423" }, { "type": "WEB", "url": "http://docs.moodle.org/dev/Moodle_2.4.9_release_notes" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=255903" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=13005" } ], "affected": [ { "package": { "ecosystem": "Mageia:3", "name": "moodle", "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.4.9-1.mga3" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "moodle", "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.4.9-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }