{ "schema_version": "1.7.0", "id": "MGASA-2014-0308", "published": "2014-08-05T20:08:48Z", "modified": "2014-08-05T19:33:04Z", "summary": "Updated moodle package fixes security vulnerabilities", "details": "In Moodle before 2.6.4, serialised data passed by repositories could\npotentially contain objects defined by add-ons that could include executable\ncode (CVE-2014-3541).\n\nIn Moodle before 2.6.4, it was possible for manipulated XML files passed from\nLTI servers to be interpreted by Moodle to allow access to server-side files\n(CVE-2014-3542).\n\nIn Moodle before 2.6.4, it was possible for manipulated XML files to be\nuploaded to the IMSCC course format or the IMSCP resource to allow access to\nserver-side files (CVE-2014-3543).\n\nIn Moodle before 2.6.4, filtering of the Skype profile field was not removing\npotentially harmful code (CVE-2014-3544).\n\nIn Moodle before 2.6.4, it was possible to inject code into Calculated\nquestions that would be executed on the server (CVE-2014-3545).\n\nIn Moodle before 2.6.4, it was possible to get limited user information,\nsuch as user name and courses, by manipulating the URL of profile and notes\npages (CVE-2014-3546).\n\nIn Moodle before 2.6.4, the details of badges from external sources were not\nbeing filtered (CVE-2014-3547).\n\nIn Moodle before 2.6.4, content of exception dialogues presented from AJAX\ncalls was not being escaped before being presented to users (CVE-2014-3548).\n\nIn Moodle before 2.6.4, fields in rubrics were not being correctly filtered\n(CVE-2014-3551).\n\nIn Moodle before 2.6.4, forum was allowing users who were members of more\nthan one group to post to all groups without the capability to access all\ngroups (CVE-2014-3553).\n\nThe moodle package has been updated to version 2.6.4, to fix these issues\nand other bugs.\n", "upstream": [ "CVE-2014-3541", "CVE-2014-3542", "CVE-2014-3543", "CVE-2014-3544", "CVE-2014-3545", "CVE-2014-3546", "CVE-2014-3547", "CVE-2014-3548", "CVE-2014-3551", "CVE-2014-3553" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2014-0308.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=13759" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264262" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264263" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264264" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264265" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264266" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264267" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264268" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264269" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264270" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=264273" }, { "type": "WEB", "url": "http://docs.moodle.org/dev/Moodle_2.6.4_release_notes" } ], "affected": [ { "package": { "ecosystem": "Mageia:3", "name": "moodle", "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.4-1.mga3" } ] } ], "ecosystem_specific": { "section": "core" } }, { "package": { "ecosystem": "Mageia:4", "name": "moodle", "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-4" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.6.4-1.mga4" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }