| Description: | Conditional access rule values for user fields were able to contain unescaped HTML/JS that would be output to users. |
| Issue summary: | Conditional activities: user field displays as database column name, values not escaped |
| Severity/Risk: | Minor |
| Versions affected: | 2.5, 2.4 to 2.4.4 |
| Versions fixed: | 2.5.1, 2.4.5 |
| Reported by: | J |
| Description: | When impersonating another user using RSS tokens, an error was displayed, but block information relevant to the person being impersonated was shown. |
| Issue summary: | Rss feed error shows user logged in and blocks on page that shouldn't be there. |
| Severity/Risk: | Serious |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to |
| Description: | The Feedback module was showing personal information to users without the needed capability |
| Issue summary: | Missing privilege check in feedback/lib.php |
| Severity/Risk: | Minor |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions |
| Versions fixed: | 2.5.1, 2.4.5, 2.3.8 and 2.2.11 |
| Repor |
| Description: | The assignment module was not checking capabilities for users downloading all assignments as a zip. |
| Issue summary: | Students can download assignments submitted by other students |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.3, 2.3 to 2.3.6 |
| Versions fixed: | 2.5, 2.4.4 and 2.3.7 |
| Reported by: | Phillip Franks |
| Issue no.: | M |
| Description: | The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades. |
| Issue summary: | The method for figuring out showtotalsifcontainhidden on the overview report is flawed |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions |
| Versions |
| Description: | When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen. |
| Issue summary: | Moodle send site information to a hub even though it's unchecked |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions |
| Ver |
| Description: | There was no check of permissions for viewing comments on blog posts. |
| Issue summary: | Blog comment validation should verify that the user can view a post. |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions |
| Versions fixed: | 2.5, 2.4.4, 2.3.7 and 2.2.10 |
| Reported |
| Description: | Form elements named using a specific naming scheme were not being filtered correctly |
| Issue summary: | Elements named foo[i] are not cleaned properly |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions |
| Versions fixed: | 2.5, 2.4.4, 2.3.7 and 2.2.10 |
| Reported by: | Dan |
| Description: | Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions. |
| Issue summary: | Student should not be able to see the subscription which they cant manage |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.1 |
| Versions fixed: | 2.4.2 and |
| Description: | Exception messages were revealing server file system information |
| Issue summary: | Server system path revealed through exception messages |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions |
| Versions fixed: | 2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9 |
| Reported |
| Description: | The password for a WebDav repository was not hidden on the repository configuration form |
| Issue summary: | WebDav repository password field is plain text allowing admin to see password |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) |
| Versions |
| Description: | It was possible to upload files with filenames containing HTML and JavaScript |
| Issue summary: | Code injection (XSS) possible in File Picker |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) |
| Versions fixed: | 2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 |
| Description: | By manipulating form elements it was possible to assign a note to a different user during editing |
| Issue summary: | Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier |
| Description: | Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories |
| Issue summary: | Site-wide WebDAV repository instances options are accessible |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) |
| Versions |
| Description: | Course profiles were accessible without logging in as a real user |
| Issue summary: | Course profiles open to google even when forceloginforprofiles is enabled |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions |
| Versions fixed: | 2.4.2 and 2.4.3, 2.3.5 and 2.3.6, |
| Description: | Users able to use "login as" were able to see the personal repository content of the user they were impersonating |
| Issue summary: | Admin users logged in as another user have access to the content of their external repositories |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier |
| Description: | Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server |
| Issue summary: | Zend XmlRpc: Local file disclosure via XXE injection |
| Severity/Risk: | Serious |
| Versions affected: | 2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only) |
| Versions fixed: | 2. |
| Description: | A security issue was reported by TinyMCE. This fix has been applied to Moodle. |
| Issue summary: | import tinymce spellchecker 2.0.6.1 |
| Severity/Risk: | Serious |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
| Reported by: | Petr Škoda |
| Issue no.: | MDL-37283 |
CVE identifier: | CVE-2012-6112 |
Workaround: | Disable |
| Description: | Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome. |
| Issue summary: | Teachers can set Outcomes to be Standard when re-editing |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
| Description: | Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server. |
| Issue summary: | moodle1 backup converter path not properly validated |
| Severity/Risk: | Serious |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
| Reported by: | Dan |