| Description: | Under certain circumstances, when last access is included in a list of fields forced to be hidden, the Activity report would still reveal users' last access. |
| Issue summary: | Activity Report showing lastaccess even if it is a hidden field |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+ |
| Reporte |
| Description: | Insufficient filtering of return URLs on some pages was allowing redirects to sites outside Moodle. |
| Issue summary: | Open redirect issues |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-35991 |
CVE identifier: | CVE-2012-6101 |
| Changes (master): | http://git.moodle.o |
| Description: | Through URL manipulation, students were able to view feedback comments provided on other student's submissions. |
| Issue summary: | Assignment comment permissions are not being validated |
| Severity/Risk: | Serious |
| Versions affected: | 2.4, 2.3 to 2.3.3+ |
| Reported by: | Dan Poltawski |
| Issue no.: | MDL-37244 |
CVE identifier: | CVE-2012-6102 |
| Cha |
| Description: | The messaging system was not checking the user's session correctly when messages are sent. |
| Issue summary: | Course message sending can be exploited by CSRF |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+ |
| Reported by: | Andrew Nicols |
| Issue no.: | MDL-36600 |
CVE identifier: | CVE-2012-6103 |
| Changes (master): | h |
| Description: | Blog posts that were hidden from guest users in the Web interface were being included in the related RSS feed. |
| Issue summary: | Guest users can access RSS feed for site level blogs |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+ |
| Reported by: | Charles Fulton |
| Issue no.: | MDL-36620 |
CVE identifier: | CVE-2 |
| Description: | Students were able to delete course level calendar subscriptions created by teachers. |
| Issue summary: | Student user able to Remove imported calendar from Manage Subscriptions |
| Severity/Risk: | Minor |
| Versions affected: | 2.4 |
| Reported by: | David O'Brien |
| Issue no.: | MDL-37106 |
CVE identifier: | CVE-2012-6106 |
| Changes (master): | http://git.m |
| Description: | Blog posts were still accessible via the blog RSS feed, even after blogging was disabled globally. |
| Issue summary: | Blog posts still available via RSS even after the blogging is disabled |
| Severity/Risk: | Minor |
| Versions affected: | 2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+ |
| Reported by: | David Mudrak |
| Issue no.: | MDL-37467 |
C |
| Topic: | Check Permissions page displays entire user base without moodle/role:manage capability |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.2+ |
| Reported by: | Jody Steele |
| Issue no.: | MDL-35381 |
CVE Identifier: | CVE-2012-5481 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35381 |
Des...
| Topic: | A web service token allows the user to run functions from any external service, not just those linked to the external service the token is for |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ |
| Reported by: | Nathan Mares |
| Issue no.: | MDL-34368 |
CVE Identifier: | CVE-2012-4402 |
| Changes (master): | http: |
| Topic: | Information disclosure in yui_combo.php |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+ |
| Reported by: | Mark Baseggio |
| Issue no.: | MDL-35168 |
CVE Identifier: | CVE-2012-4403 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-35168 |
Description:
The drag-and-drop script was...
| Topic: | User B is able to see and use Dropbox of User A within Dropbox Repository File Picker |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
| Reported by: | Alexander Bias |
| Issue no.: | MDL-29872, MDL-36366 |
CVE Identifier: | CVE-2012-5471 |
Workaround: | Turn off Dropbox repository |
| Changes (master): | http://git. |
| Topic: | add setConstant() for hardfreeze element |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+ |
| Reported by: | Rossiani Wijaya |
| Issue no.: | MDL-32785 |
CVE Identifier: | CVE-2012-5472 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-32785 |
Description:
Frozen form...
| Topic: | Members of seperate groups can see Database activity entries for other groups |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
| Reported by: | Richard Meyer |
| Issue no.: | MDL-34448 |
CVE Identifier: | CVE-2012-5473 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=co |
| Topic: | yui2 swf vulnerability |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ 1.9 to 1.9.18+ |
| Reported by: | Petr Škoda, Jenny Donnelly |
| Issue no.: | MDL-36346 |
CVE Identifier: | CVE-2012-5475 |
Workaround: | Delete YUI SWF files |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD& |
| Topic: | Portfolio plugin: Local File Inclusion (LFI) and the possibility of Remote Command Execution (RCE). |
| Severity/Risk: | Serious |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
| Reported by: | Cristobal Leiva |
| Issue no.: | MDL-33791 |
CVE Identifier: | CVE-2012-5479 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=s |
| Topic: | Any user (including a guest) can view entries in database activity when more entries are required before viewing other participants entries |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.2+, 2.2 to 2.2.5+, 2.1 to 2.1.8+ |
| Reported by: | Tabitha Roder |
| Issue no.: | MDL-35558 |
CVE Identifier: | CVE-2012-5480 |
| Changes (master): | http://gi |
| Topic: | Course reset not protected by proper capability |
| Severity/Risk: | Minor |
| Versions affected: | 2.3 to 2.3.1+, 2.2 to 2.2.4+, 2.1 to 2.1.7+ |
| Reported by: | Rex Lorenzo |
| Issue no.: | MDL-34519 |
CVE Identifier: | CVE-2012-4408 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34519 |
Description:
...
48 issues have been successfully integrated with 6 rejected and 0 delayed. That is 89% success.
Notes:This year at the Moodle Research Conference in Sousse, Tunisia they hope run some research workshops that will bring together groups of researchers interested in initiating or continuing collaborative research projects. The goal of the workshops are typically publication of papers, although they hope they may lead to other things, such as
37 issues have been successfully integrated with 2 rejected and 0 delayed. That is a hug 95% success rate, good job everyone!
Hot topics:...