{
  "schema_version": "1.7.0",
  "id": "MGASA-2015-0032",
  "published": "2015-01-20T14:57:33Z",
  "modified": "2015-01-20T14:49:27Z",
  "summary": "Updated moodle package fixes security vulnerabilities",
  "details": "Updated moodle package fixes security vulnerabilities:\n\nIn Moodle before 2.6.7, absence of a capability check in AJAX backend script\nin the LTI module could allow any enrolled user to search the list of\nregistered tools (CVE-2015-0211).\n\nIn Moodle before 2.6.7, the course summary on course request pending approval\npage was displayed to the manager unescaped and could be used for XSS attack\n(CVE-2015-0212).\n\nIn Moodle before 2.6.7, two files in the Glossary module lacked a session key\ncheck potentially allowing cross-site request forgery (CVE-2015-0213).\n\nIn Moodle before 2.6.7, through web-services it was possible to access\nmessaging-related functions such as people search even if messaging is\ndisabled on the site (CVE-2015-0214).\n\nIn Moodle before 2.6.7, through web-services it was possible to get\ninformation about calendar events which user did not have enough permissions\nto see (CVE-2015-0215).\n\nIn Moodle before 2.6.7, non-optimal regular expression in the multimedia\nfilter could be exploited to create extra server load or make particular page\nunavailable, resulting in a denial of service (CVE-2015-0217).\n\nIn Moodle before 2.6.7, it was possible to forge a request to logout users\neven when not authenticated through Shibboleth (CVE-2015-0218).\n",
  "upstream": [
    "CVE-2015-0211",
    "CVE-2015-0212",
    "CVE-2015-0213",
    "CVE-2015-0214",
    "CVE-2015-0215",
    "CVE-2015-0217",
    "CVE-2015-0218"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2015-0032.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=15084"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278611"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278612"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278613"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278614"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278615"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278617"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278618"
    },
    {
      "type": "WEB",
      "url": "https://docs.moodle.org/dev/Moodle_2.6.7_release_notes"
    },
    {
      "type": "WEB",
      "url": "https://moodle.org/mod/forum/discuss.php?d=278176"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:4",
        "name": "moodle",
        "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-4"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.7-1.mga4"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}