Updated moodle packages fix security vulnerability
Publication date: 25 Mar 2016Modification date: 25 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-2151 , CVE-2016-2152 , CVE-2016-2153 , CVE-2016-2154 , CVE-2016-2155 , CVE-2016-2156 , CVE-2016-2157 , CVE-2016-2158 , CVE-2016-2159 , CVE-2016-2190
Description
In Moodle before 2.8.11, teachers who otherwise were not supposed to see
students' emails could see them in the participants list (CVE-2016-2151).
In Moodle before 2.8.11, Moodle traditionally trusted content from
external DB, however it was decided that external datasources may not be
aware of web security practices and data could cause problems after
importing to Moodle (CVE-2016-2152).
In Moodle before 2.8.11, a user with higher permissions could be tricked
into clicking a link which would result in Reflected XSS in mod_data
advanced search (CVE-2016-2153).
In Moodle before 2.8.11, users without capability to view hidden courses
but with capability to subscribe to Event Monitor rules could see the
names of hidden courses (CVE-2016-2154).
In Moodle before 2.8.11, the Non-Editing Instructor role can edit the
exclude checkbox in the Single View grade report (CVE-2016-2155).
In Moodle before 2.8.11, users without the capability to view hidden
acitivites could still see associated calendar events via web services,
via the external function get_calendar_events (CVE-2016-2156).
In Moodle before 2.8.11, CSRF is possible on the Assignment plugin admin
page, however an exploit is unlikely to benefit anybody and can easily be
reversed (CVE-2016-2157).
In Moodle before 2.8.11, enumeration of course category details is
possible without authentication (CVE-2016-2158).
In Moodle before 2.8.11, students were able to add assignment submissions
after the due date through web service, via the external function
mod_assign_save_submission (CVE-2016-2159).
In Moodle before 2.8.11, when following external links that were added
with the _blank target, a referer header would be added (CVE-2016-2190).
References
- https://bugs.mageia.org/show_bug.cgi?id=18048
- https://moodle.org/mod/forum/discuss.php?d=330173
- https://moodle.org/mod/forum/discuss.php?d=330174
- https://moodle.org/mod/forum/discuss.php?d=330175
- https://moodle.org/mod/forum/discuss.php?d=330176
- https://moodle.org/mod/forum/discuss.php?d=330177
- https://moodle.org/mod/forum/discuss.php?d=330178
- https://moodle.org/mod/forum/discuss.php?d=330179
- https://moodle.org/mod/forum/discuss.php?d=330180
- https://moodle.org/mod/forum/discuss.php?d=330181
- https://moodle.org/mod/forum/discuss.php?d=330182
- https://docs.moodle.org/dev/Moodle_2.8.11_release_notes
- https://moodle.org/mod/forum/discuss.php?d=329783
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2151
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2152
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2153
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2154
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2155
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2156
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2157
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2158
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2159
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2190
SRPMS
5/core
- moodle-2.8.11-1.mga5