|
|
Subscribe / Log in / New account

Mageia alert MGASA-2015-0464 (moodle)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2015-0464: Updated moodle packages fix security vulnerability 


Date:
    	      Sat, 5 Dec 2015 11:04:37 +0100


Message-ID:
    	      <20151205100437.B1C465DC8A@valstar.mageia.org>


MGASA-2015-0464 - Updated moodle packages fix security vulnerability

Publication date: 05 Dec 2015
URL: http://advisories.mageia.org/MGASA-2015-0464.html
Type: security
Affected Mageia releases: 5
CVE: CVE-2015-5332,
     CVE-2015-5335,
     CVE-2015-5336,
     CVE-2015-5337,
     CVE-2015-5338,
     CVE-2015-5339,
     CVE-2015-5340,
     CVE-2015-5341,
     CVE-2015-5342

Description:
In Moodle before 2.8.9, if guest access is open on the site,
unauthenticated users can store Atto draft data through the editor
autosave area, which could be exploited in a denial of service attack
(CVE-2015-5332).

In Moodle before 2.8.9, due to a CSRF issue in the site registration form,
it is possible to trick a site admin into sending aggregate stats to an
arbitrary domain. The attacker can send the admin a link to a site
registration form that will display the correct URL but, if submitted,
will register with another hub (CVE-2015-5335).

In Moodle before 2.8.9, the standard survey module is vulnerable to XSS
attack by students who fill the survey (CVE-2015-5336).

In Moodle before 2.8.9, there was a reflected XSS vulnerability in the
Flowplayer flash video player (CVE-2015-5337).

In Moodle before 2.8.9, password-protected lesson modules are subject to a
CSRF vulnerability in the lesson login form (CVE-2015-5338).

In Moodle before 2.8.9, through web service core_enrol_get_enrolled_users
it is possible to retrieve list of course participants who would not be
visible when using web site (CVE-2015-5339).

In Moodle before 2.8.9, logged in users who do not have capability 'View
available badges without earning them' can still access the full list of
badges (CVE-2015-5340).

In Moodle before 2.8.9, the SCORM module allows to bypass access
restrictions based on date and lets users view the SCORM contents
(CVE-2015-5341).

In Moodle before 2.8.9, the choice module closing date can be bypassed,
allowing users to delete or submit new responses after the choice module
was closed (CVE-2015-5342).

References:
- https://bugs.mageia.org/show_bug.cgi?id=17280
- https://moodle.org/mod/forum/discuss.php?d=323229
- https://moodle.org/mod/forum/discuss.php?d=323230
- https://moodle.org/mod/forum/discuss.php?d=323231
- https://moodle.org/mod/forum/discuss.php?d=323232
- https://moodle.org/mod/forum/discuss.php?d=323233
- https://moodle.org/mod/forum/discuss.php?d=323234
- https://moodle.org/mod/forum/discuss.php?d=323235
- https://moodle.org/mod/forum/discuss.php?d=323236
- https://moodle.org/mod/forum/discuss.php?d=323237
- https://docs.moodle.org/dev/Moodle_2.8.9_release_notes
- https://moodle.org/mod/forum/discuss.php?d=322852
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5332
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5335
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5336
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5337
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5338
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5339
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5340
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5341
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5342

SRPMS:
- 5/core/moodle-2.8.9-1.mga5
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds