moodle: multiple vulnerabilities
| Package(s): | moodle | CVE #(s): | CVE-2014-0213 CVE-2014-0214 CVE-2014-0215 CVE-2014-0216 CVE-2014-0218 | ||||||||||||||||
| Created: | May 20, 2014 | Updated: | May 30, 2014 | ||||||||||||||||
| Description: | From the Mageia advisory:
In Moodle before 2.6.3, Session checking was not being performed correctly in Assignment's quick-grading, allowing forged requests to be made unknowingly by authenticated users (CVE-2014-0213). In Moodle before 2.6.3, MoodleMobile web service tokens, created automatically in login/token.php, were not expiring and were valid forever (CVE-2014-0214). In Moodle before 2.6.3, Some student details, including identities, were included in assignment marking pages and would have been revealed to screen readers or through code inspection (CVE-2014-0215). In Moodle before 2.6.3, Access to files linked on HTML blocks on the My home page was not being checked in the correct context, allowing access to unauthenticated users (CVE-2014-0216). In Moodle before 2.6.3, There was a lack of filtering in the URL downloader repository that could have been exploited for XSS (CVE-2014-0218). | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||