Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0062 A number of vulnerabilities have been identified in Moodle prior to 2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6] 21 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0218 CVE-2014-0217 CVE-2014-0216 CVE-2014-0215 CVE-2014-0214 CVE-2014-0213 Member content until: Friday, June 20 2014 OVERVIEW A number of vulnerabilities have been identified in Moodle prior to 2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6] IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2014-0213:"Cross-site request forgery possible in Assignment." [1] CVE-2014-0214:"Web service token expiry issue for MoodleMobile." [2] CVE-2014-0215:"Anonymous student identity revealed in assignment." [3] CVE-2014-0216:"File access issue in HTML block." [4] CVE-2014-0217:"Information leak in courses." [5] CVE-2014-0218:"Reflected XSS in URL downloader repository." [6] MITIGATION The vendor has stated that these issues have been corrected in versions 2.7, 2.6.3, 2.5.6 and 2.4.10. [1 - 6] REFERENCES [1] MSA-14-0014: Cross-site request forgery possible in Assignment https://moodle.org/mod/forum/discuss.php?d=260361 [2] MSA-14-0015: Web service token expiry issue for MoodleMobile https://moodle.org/mod/forum/discuss.php?d=260362 [3] MSA-14-0016: Anonymous student identity revealed in assignment https://moodle.org/mod/forum/discuss.php?d=260363 [4] MSA-14-0017: File access issue in HTML block https://moodle.org/mod/forum/discuss.php?d=260364 [5] MSA-14-0018: Information leak in courses https://moodle.org/mod/forum/discuss.php?d=260365 [6] MSA-14-0019: Reflected XSS in URL downloader repository https://moodle.org/mod/forum/discuss.php?d=260366 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3xDEhLndAQH1ShLAQLJGA/9HrG5mSk9U+wnHWCQvsgpo62ikbLjOlSR BdFa+csdRnBqk8Nfs8IKkk7RLl/sOHFNZNzSTlpZuqXoPqhMk6XM7Eb7vAEi85D5 k5JJ/Nlbwb3nR2BnCFm0jdHszi0oS2sURRCr74IpoYwu7/LDOmn03yZp681PN56v i2D1F8u7rZi2ihXk/gkNm0BJYo6eQeqjNGLu/BT7+a4ozRvMVS/nvSUTUnG28Vlc T28k/qC9QreiFzo6gxtNwLPnW3jWWq7qkYtxjWJ+4ppGOMumMJRYkfTwQHXTEXyY TF1EMvdqILrLHh19JiwStEEDD7o6lVwRSOGxc+dqQcCtc8CDnTYL9+btMVkYfaGU c7CgGj6tw5bAK01ipJM56reVHJZpZBXnTd1nC1acV3Ix4TtV+69O+1knPz1XK5Ly CXcSq14BjUKdXef+nYVgm2Qbc96vGy984H1MYt7l2FIDGCTEX1C4jXSGjheY211K /tjCNvYqfxD2n64KWcGWZgjLoPqg8pMJfe8UAZboKAlgi3zOHFVMvRlHIXMRyHL0 num6MlJxGg88tBVFbHe7fGQEiyHKfq1+vJtgZ+pY1plR8n+T7wo2dgSRxBJIYp6/ CYbcbRubLGjcgAZdfrFMs1b/5ea+jAXukydNAfnDgxibSM3ezQnFnPm5mCU/K6fC 1UfirH4nuPs= =SQXT -----END PGP SIGNATURE-----