{ "schema_version": "1.7.0", "id": "MGASA-2015-0381", "published": "2015-09-23T19:42:52Z", "modified": "2015-09-23T19:39:24Z", "summary": "Updated moodle packages fix security vulnerabilities", "details": "Updated moodle package fixes security vulnerabilities:\n\nIn Moodle before 2.8.8, completed and graded lesson activity was not\nprotected against making new attempts to answer some questions, so students\ncould re-attempt answering questions in the lesson (CVE-2015-5264).\n\nIn Moodle before 2.8.8, users could delete files uploaded by other users in\nwiki (CVE-2015-5265).\n\nIn Moodle before 2.8.8, meta course synchronisation enrols suspended students\nas managers for a short period of time and causes large database growth. On\nlarge installations, when the sync script takes a long time, suspended\nstudents may get assigned a manager role in meta course for several minutes\n(CVE-2015-5266)\n\nIn Moodle before 2.8.8, password recovery tokens can be guessed because of\nphp randomisation limitations (CVE-2015-5267).\n\nIn Moodle before 2.8.8, when viewing ratings, the group access was not\nproperly checked, allowing users from other groups to view ratings\n(CVE-2015-5268).\n\nIn Moodle before 2.8.8, capability to manage groups does not have XSS risk,\nhowever it was possible to add XSS to the grouping description\n(CVE-2015-5269).\n\nThe moodle package has been updated to version 2.8.8, fixing these issues and\nseveral other bugs.\n\nAdditionally, the preg plugin has been updated to version 2.8, and the OU\nMultiple Response question type and UIkit theme have been added to the\npackage.\n", "upstream": [ "CVE-2015-5264", "CVE-2015-5265", "CVE-2015-5266", "CVE-2015-5267", "CVE-2015-5268", "CVE-2015-5269" ], "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2015-0381.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=16767" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320287" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320289" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320290" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320291" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320292" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=320293" }, { "type": "WEB", "url": "https://docs.moodle.org/dev/Moodle_2.8.8_release_notes" }, { "type": "WEB", "url": "https://moodle.org/mod/forum/discuss.php?d=319884" }, { "type": "WEB", "url": "https://bitbucket.org/oasychev/moodle-plugins/" }, { "type": "WEB", "url": "https://moodle.org/plugins/view/qtype_oumultiresponse" }, { "type": "WEB", "url": "https://moodle.org/plugins/view/theme_uikit" } ], "affected": [ { "package": { "ecosystem": "Mageia:5", "name": "moodle", "purl": "pkg:rpm/mageia/moodle?arch=source&distro=mageia-5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "2.8.8-1.mga5" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }