Advisories ยป MGASA-2014-0483

Updated moodle package fixes security vulnerabilities

Publication date: 22 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-7830 , CVE-2014-7832 , CVE-2014-7833 , CVE-2014-7834 , CVE-2014-7835 , CVE-2014-7836 , CVE-2014-7837 , CVE-2014-7838 , CVE-2014-7845 , CVE-2014-7846 , CVE-2014-7847 , CVE-2014-7848


In Moodle before 2.6.5, without forcing encoding, it was possible that UTF7
characters could be used to force cross-site scripts to AJAX scripts
(although this is unlikely on modern browsers and on most Moodle pages)

In Moodle before 2.6.5, an XSS issue through $searchcourse in
mod/feedback/mapcourse.php, due to the last search string in the Feedback
module not being escaped in the search input field (CVE-2014-7830).

In Moodle before 2.6.5, the word list for temporary password generation was
short, therefore the pool of possible passwords was not big enough

In Moodle before 2.6.5, capability checks in the LTI module only checked
access to the course and not to the activity (CVE-2014-7832).

In Moodle before 2.6.5, group-level entries in Database activity module
became visible to users in other groups after being edited by a teacher

In Moodle before 2.6.5, unprivileged users could access the list of
available tags in the system (CVE-2014-7846).

In Moodle before 2.6.5, the script used to geo-map IP addresses was
available to unauthenticated users increasing server load when used by
other parties (CVE-2014-7847).

In Moodle before 2.6.5, when using the web service function for Forum
discussions, group permissions were not checked (CVE-2014-7834).

In Moodle before 2.6.5, by directly accessing an internal file, an
unauthenticated user can be shown an error message containing the file
system path of the Moodle install (CVE-2014-7848).

In Moodle before 2.6.5, if web service with file upload function was
available, user could upload XSS file to his profile picture area

In Moodle before 2.6.5, two files in the LTI module lacked a session key
check, potentially allowing cross-site request forgery (CVE-2014-7836).

In Moodle before 2.6.5, by tweaking URLs, users who were able to delete
pages in at least one Wiki activity in the course were able to delete pages
in other Wiki pages in the same course (CVE-2014-7837).

In Moodle before 2.6.5, set tracking script in the Forum module lacked a
session key check, potentially allowing cross-site request forgery

In Moodle before 2.6.5, session key check was missing on return page in
module LTI allowing attacker to include arbitrary message in URL query
string (MSA-14-0049).