LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

moodle: multiple vulnerabilities

Package(s):moodle CVE #(s):CVE-2009-4297 CVE-2009-4298 CVE-2009-4299 CVE-2009-4301 CVE-2009-4302 CVE-2009-4303 CVE-2009-4305
Created:February 3, 2010 Updated:February 16, 2010
Description:

From the Debian advisory:

CVE-2009-4297: Multiple cross-site request forgery (CSRF) vulnerabilities have been discovered.

CVE-2009-4298: It has been discovered that the LAMS module is prone to the disclosure of user account information.

CVE-2009-4299: The Glossary module has an insufficient access control mechanism.

CVE-2009-4301: Moodle does not properly check permissions when the MNET service is enabled, which allows remote authenticated servers to execute arbitrary MNET functions.

CVE-2009-4302: The login/index_form.html page links to an HTTP page instead of using an SSL secured connection.

CVE-2009-4303: Moodle stores sensitive data in backup files, which might make it possible for attackers to obtain them.

CVE-2009-4305: It has been discovered that the SCORM module is prone to an SQL injection.

Additionally, an SQL injection in the update_record function, a problem with symbolic links and a verification problem with Glossary, database and forum ratings have been fixed.

Alerts:
SuSE SUSE-SR:2010:004 2010-02-16
Debian DSA-1986-1 2010-02-02
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds