Educación a distancia Somos Expertos en servicios Moodle

  • Inicio
  • Moodle
    • Productos
    • Servicios
    • Sobre Moodle
    • Sobre Moodle Chile
  • Blog
    • Noticias
      • Seguridad Moodle
      • Planeta Moodle
      • Moodle.org Directo
      • Moodle Buzz
      • Moodle Foro
      • Google News
      • Todas las Noticias
    • Artículos
  • Cotizar

MSA-13-0029: XSS risk in conditional activities

Detalles
Publicado el 14 Julio 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Conditional access rule values for user fields were able to contain unescaped HTML/JS that would be output to users.
Issue summary:Conditional activities: user field displays as database column name, values not escaped
Severity/Risk:Minor
Versions affected:2.5, 2.4 to 2.4.4
Versions fixed:2.5.1, 2.4.5
Reported by:J
Leer más...

MSA-13-0030: Information leak through RSS

Detalles
Publicado el 14 Julio 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:When impersonating another user using RSS tokens, an error was displayed, but block information relevant to the person being impersonated was shown.
Issue summary:Rss feed error shows user logged in and blocks on page that shouldn't be there.
Severity/Risk:Serious
Versions affected:2.5, 2.4 to 2.4.4, 2.3 to
Leer más...

MSA-13-0031: Personal information leak in Feedback activity

Detalles
Publicado el 14 Julio 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:The Feedback module was showing personal information to users without the needed capability
Issue summary:Missing privilege check in feedback/lib.php
Severity/Risk:Minor
Versions affected:2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:2.5.1, 2.4.5, 2.3.8 and 2.2.11
Repor
Leer más...

MSA-13-0020: Capability issue in Assignment

Detalles
Publicado el 20 Mayo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:The assignment module was not checking capabilities for users downloading all assignments as a zip.
Issue summary:Students can download assignments submitted by other students
Severity/Risk:Serious
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6
Versions fixed:2.5, 2.4.4 and 2.3.7
Reported by:Phillip Franks
Issue no.:M
Leer más...

MSA-13-0021: Potential information leak in Gradebook

Detalles
Publicado el 20 Mayo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:The Gradebook's Overview report was showing grade totals that may have incorrectly included hidden grades.
Issue summary:The method for figuring out showtotalsifcontainhidden on the overview report is flawed
Severity/Risk:Minor
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, earlier unsupported versions
Versions
Leer más...

MSA-13-0022: Information leak in hub registration

Detalles
Publicado el 20 Mayo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:When registering a site on a hub (not Moodle.net) site information was being sent to the hub regardless of settings chosen.
Issue summary:Moodle send site information to a hub even though it's unchecked
Severity/Risk:Minor
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Ver
Leer más...

MSA-13-0023: Permission issue in blog comments

Detalles
Publicado el 20 Mayo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:There was no check of permissions for viewing comments on blog posts.
Issue summary:Blog comment validation should verify that the user can view a post.
Severity/Risk:Serious
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:2.5, 2.4.4, 2.3.7 and 2.2.10
Reported
Leer más...

MSA-13-0024: Form filtering issue

Detalles
Publicado el 20 Mayo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Form elements named using a specific naming scheme were not being filtered correctly
Issue summary:Elements named foo[i] are not cleaned properly
Severity/Risk:Minor
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:Dan
Leer más...

MSA-13-0011: Calendar subscription capability issue

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions.
Issue summary:Student should not be able to see the subscription which they cant manage
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1
Versions fixed:2.4.2 and
Leer más...

MSA-13-0013: Server information revealed through exception messages

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Exception messages were revealing server file system information
Issue summary:Server system path revealed through exception messages
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed:2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8 and 2.2.9
Reported
Leer más...

MSA-13-0014: Password revealed in WebDav repository

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:The password for a WebDav repository was not hidden on the repository configuration form
Issue summary:WebDav repository password field is plain text allowing admin to see password
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions
Leer más...

MSA-13-0015: Cross-site scripting issue in Filepicker

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:It was possible to upload files with filenames containing HTML and JavaScript
Issue summary:Code injection (XSS) possible in File Picker
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:2.4.2 and 2.4.3, 2.3.5 and 2.3.6, 2.2.8
Leer más...

MSA-13-0017: Form manipulation issue in notes

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:By manipulating form elements it was possible to assign a note to a different user during editing
Issue summary:Go to the edit notes form, change userid in the html with firebug => the targeted note user is changed
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier
Leer más...

MSA-13-0019: Unauthorised settings editing through WebDav repository

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Any user able to view WebDav repositories was able to view, edit and delete site-wide WebDav repositories
Issue summary:Site-wide WebDAV repository instances options are accessible
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions
Leer más...

MSA-13-0012: Information leak in course profiles

Detalles
Publicado el 24 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Course profiles were accessible without logging in as a real user
Issue summary:Course profiles open to google even when forceloginforprofiles is enabled
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed:2.4.2 and 2.4.3, 2.3.5 and 2.3.6,
Leer más...

MSA-13-0018: Personal information leak through repositories

Detalles
Publicado el 10 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Users able to use "login as" were able to see the personal repository content of the user they were impersonating
Issue summary:Admin users logged in as another user have access to the content of their external repositories
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier
Leer más...

MSA-13-0016: External Entity Injection through Zend library

Detalles
Publicado el 10 Marzo 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server
Issue summary:Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:2.
Leer más...

MSA-13-0001: Security issue in Google Spellchecker in TinyMCE

Detalles
Publicado el 20 Enero 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:A security issue was reported by TinyMCE. This fix has been applied to Moodle.
Issue summary:

import tinymce spellchecker 2.0.6.1

Severity/Risk:Serious
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:Petr Škoda
Issue no.:MDL-37283

CVE identifier:

CVE-2012-6112

Workaround:

Disable
Leer más...

MSA-13-0002: Capability issue with Outcome editing

Detalles
Publicado el 20 Enero 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Users without the appropriate capability were able to set a custom outcome they had created as a standard site-wide capability when editing that outcome.
Issue summary:

Teachers can set Outcomes to be Standard when re-editing

Severity/Risk:Minor
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Leer más...

MSA-13-0003: Potential server file access through backup restoration

Detalles
Publicado el 20 Enero 2013
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael de Raadt.  

...
Description:Paths in backups to restorable files were not being sufficiently validated and could be manipulated to gain access to files on the server.
Issue summary:

moodle1 backup converter path not properly validated

Severity/Risk:Serious
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:Dan
Leer más...

Más artículos...

  1. MSA-13-0004: Information leak through activity report
  2. MSA-13-0005: Potential phishing attack through URL redirects
  3. MSA-13-0006: Potential information leak in Assignment module
  4. MSA-13-0007: Potential exploit in messaging
  5. MSA-13-0008: Information leak through Blog RSS
  6. MSA-13-0010: Failure to check capabilities in calendar
  7. MSA-13-0009: Information leak through Blog RSS
  8. MSA-12-0063: Information leak in Check Permissions page
  9. MSA-12-0055: Web service access token issue
  10. MSA-12-0056: Information leak in drag-and-drop
  11. MSA-12-0057: Access issue through repository
  12. MSA-12-0058: Possible form data manipulation issue
  13. MSA-12-0059: Information leak in Database activity module
  14. MSA-12-0060: Cross-site scripting vulnerability in YUI2
  15. MSA-12-0061: Remote code execution through Portfolio API
  16. MSA-12-0062: Information leak in Database activity module
  17. MSA-12-0054: Course reset permission issue
  18. Integration, exposed: Integration round 2013-08-08 - week 32 of 52.
  19. Gavin Henrick: Moodle Research Conference – Call for Workshop Proposals
  20. Integration, exposed: Integration round 2013-08-02 - easy as mate

Página 9 de 58

  • Inicio
  • Anterior
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • Siguiente
  • Final
  • Home
  • Blog
  • Noticias
  • Todas las Noticias

Moodle-Chile.cl is not affiliated with or endorsed by the Moodle Project.

Powered by TILATAM S.A.