| Revision Date: | 2014-06-23 | Version: | 20 |
| Title: | DSA-2421-1 moodle -- several |
| Description: | Several security issues have been fixed in Moodle, a course management system for online learning: CVE-2011-4308 / CVE-2012-0792 Rossiani Wijaya discovered an information leak in mod/forum/user.php CVE-2011-4584 MNET authentication didn't prevent a user using "Login As" from jumping to a remove MNET SSO. CVE-2011-4585 Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to "true". CVE-2011-4586 David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module. CVE-2011-4587 Stephen Mc Guiness discovered empty passwords could be entered in some circumstances. CVE-2011-4588 Patrick McNeill that IP address restrictions could be bypassed in MNET. CVE-2012-0796 Simon Coggins discovered that additional information could be injected into mail headers. CVE-2012-0795 John Ehringer discovered that email adresses were insufficiently validated. CVE-2012-0794 Rajesh Taneja discovered that cookie encryption used a fixed key. CVE-2012-0793 Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option "forceloginforprofileimages" was introduced for that. |
| Family: | unix | Class: | patch |
| Status: | ACCEPTED | Reference(s): | CVE-2011-4308
CVE-2011-4584
CVE-2011-4585
CVE-2011-4586
CVE-2011-4587
CVE-2011-4588
CVE-2012-0792
CVE-2012-0793
CVE-2012-0794
CVE-2012-0795
CVE-2012-0796
DSA-2421-1
|
| Platform(s): | Debian GNU/kFreeBSD 6.0
Debian GNU/Linux 6.0
| Product(s): | moodle
|
| Definition Synopsis |
| Debian 6.0 is installed AND GNU/Linux or GNU/kFreeBSD kernel
Debian GNU/Linux is installed
OR Debian GNU/kFreeBSD is installed
AND Installed architecture is all
AND moodle DPKG is earlier than 1.9.9.dfsg2-2.1+squeeze3
|