From the Debian advisory:
Multiple cross-site request forgery (CSRF) vulnerabilities have been
It has been discovered that the LAMS module is prone to the disclosure
of user account information.
The Glossary module has an insufficient access control mechanism.
Moodle does not properly check permissions when the MNET service is
enabled, which allows remote authenticated servers to execute arbitrary
The login/index_form.html page links to an HTTP page instead of using an
SSL secured connection.
Moodle stores sensitive data in backup files, which might make it
possible for attackers to obtain them.
It has been discovered that the SCORM module is prone to an SQL
Additionally, an SQL injection in the update_record function, a problem
with symbolic links and a verification problem with Glossary, database
and forum ratings have been fixed.