Advisories » MGASA-2016-0029

Updated moodle packages fix security vulnerability

Publication date: 20 Jan 2016
Modification date: 20 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-0724 , CVE-2016-0725

Description

In Moodle before 2.8.10, web services
core_enrol_get_course_enrolment_methods and
enrol_self_get_instance_info did not check user permission to access
hidden courses (CVE-2016-0724).

In Moodle before 2.8.10, search string in course management interface was
not escaped when being output creating potential for XSS attack
(CVE-2016-0725).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=17537
• https://moodle.org/mod/forum/discuss.php?d=326205
• https://moodle.org/mod/forum/discuss.php?d=326206
• https://docs.moodle.org/dev/Moodle_2.8.10_release_notes
• https://moodle.org/mod/forum/discuss.php?d=325820
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0724
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0725

SRPMS

5/core

• moodle-2.8.10-1.mga5