MSA-13-0026: Personal information leak in IMS-LTI

by Michael de Raadt.  

...
Description:Privacy settings for the IMS-LTI (External tool) module were not able to be changed so personal information was always transferred.
Issue summary:Privacy settings do not change
Severity/Risk:Minor
Versions affected:2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:2.5.1,
Register to read more...

MSA-13-0025: XSS vulnerability in YUI library

by Michael de Raadt.  

...
Description:Flash files distributed with the YUI library may have allowed for cross-site scripting attacks.
Issue summary:YUI swf files suffer a XSS vulnerability
Severity/Risk:Serious
Versions affected:2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions
Versions fixed:2.5.1, 2.4.5, 2.3.8 and 2.2.11
Re
Register to read more...

MSA-13-0024: Form filtering issue

by Michael de Raadt.  

...
Description:Form elements named using a specific naming scheme were not being filtered correctly
Issue summary:Elements named foo[i] are not cleaned properly
Severity/Risk:Minor
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:2.5, 2.4.4, 2.3.7 and 2.2.10
Reported by:Dan
Register to read more...

MSA-13-0023: Permission issue in blog comments

by Michael de Raadt.  

...
Description:There was no check of permissions for viewing comments on blog posts.
Issue summary:Blog comment validation should verify that the user can view a post.
Severity/Risk:Serious
Versions affected:2.4 to 2.4.3, 2.3 to 2.3.6, 2.2 to 2.2.9, earlier unsupported versions
Versions fixed:2.5, 2.4.4, 2.3.7 and 2.2.10
Reported
Register to read more...