Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0034 Multiple vulnerabilities have been identified in Mooble prior to versions 2.6.2, 2.5.5 and 2.4.9. 21 March 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Modify Permissions -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Existing Account Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2014-0129 CVE-2014-0127 CVE-2014-0126 CVE-2014-0125 CVE-2014-0124 CVE-2014-0123 CVE-2014-0122 Member content until: Sunday, April 20 2014 OVERVIEW A number of vulnerabilities have been identified in Moodle prior to 2.6.2, 2.5.5 and 2.4.9. [1 - 10] IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-Pending: "Question strings were not being filtered correctly possibly allowing cross site scripting." [1] CVE-2014-0127: "It was possible to start a Feedback activity while it was supposed to be closed." [2] CVE-2014-0122: "Capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately. [3] CVE-2014-0123: "There were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis." [4] CVE-Pending: "Cross site scripting was possible with Flowplayer" [5] CVE-2014-0124: "Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this." [6] CVE-2014-0125: "Alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco." [7] CVE-2014-0126: "There was inadequate session checking when triggering the import of IMS Enterprise identities." [8] CVE-2014-0129: "It was possible for authenticated users to toggle the visibility of other users' badges." [9] CVE-Pending: "Assignment web service functions were not correctly cleaning function parameters allowing alteration of assignment grade related information." [10] MITIGATION The vendor has stated that these issues have been corrected in versions 2.6.2, 2.5.5 and 2.4.9. [1 - 10] REFERENCES [1] MSA-14-0004: Incorrect filtering in Quiz https://moodle.org/mod/forum/discuss.php?d=256416 [2] MSA-14-0005: Access issue in Feedback activity https://moodle.org/mod/forum/discuss.php?d=256417 [3] MSA-14-0006: Capability issue in Chat https://moodle.org/mod/forum/discuss.php?d=256418 [4] MSA-14-0007: Access issue in Wiki https://moodle.org/mod/forum/discuss.php?d=256419 [5] MSA-14-0008: Cross site scripting potential in Flowplayer https://moodle.org/mod/forum/discuss.php?d=256420 [6] MSA-14-0009: Identity information leak in Forum and Quiz https://moodle.org/mod/forum/discuss.php?d=256421 [7] MSA-14-0010: Identity information leak in Alfresco Repository https://moodle.org/mod/forum/discuss.php?d=256422 [8] MSA-14-0011: Cross site request forgery potential in IMS enrolments https://moodle.org/mod/forum/discuss.php?d=256423 [9] MSA-14-0012: Access issue in Badges https://moodle.org/mod/forum/discuss.php?d=256424 [10] MSA-14-0013: Unfiltered data used in Assignment web services https://moodle.org/mod/forum/discuss.php?d=256425 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUyu3bxLndAQH1ShLAQIQoQ//TYQToedoRlx+bg4Tu+TGOyuBYA5Nt0ss 2dgLYXBoazr9D57dfUNgH9oSqcC+1zZILmL5E917Kev/LFiCRDyiaY2eK5dn4vVy 4Gju2NjLFjO0soc62emvPH5Ibmiq0/aOgzjuoKJKQ6bEExkGOGlFASdmCK3FBguL WMIsBxe9n+ZUWUiujYLE4QuMwNR6HQYk2/J4m5T0ArPPqBjeN5lZdnKTMoXT3Nt1 QOBTlO7UrhP4i4OvJFNn7918HkG9jHzyALUZudh2mREIU3+eaeWZ/QR3oqyquJW7 ONmyMFAazTj+HPTzzGuU/JtBXEKATeMZmE0SJnr6s/GwZSMqc0NCguN949WlpOVY /CoXWkkbb6PzuLp/Yjx+7AxUVPNWVsbJzshvIgvAP2R1CgvT2jWZM6OoabP2ipb+ kYAUA4hZDsXm+61ZZ65E5i9AEMp1QFATGlQnWjHfCOix448ThnoQ2wF/P7jh1pUx LrUkp7VLGVu0N8GJxAK4al5ntniRA5xDVl7vo4flF/LP9PcY4W6I5Q2zXv8DBlrI LuyEwjcfUoWFSOG9C2FD68vvjZZZom0yKHyZJaGuzn9irWoPoEnIvvlY/hzNVTu4 fQaQNW5QV/2UgXXB6XejWoKkWv30mxLHJ+v2lWz0A6OcP5po3IHM3b1FM4KGG+Dp LZYKWAP7Lek= =HzNS -----END PGP SIGNATURE-----