MSA-13-0012: Information leak in course profiles

by Michael de Raadt.  

...
Description:Course profiles were accessible without logging in as a real user
Issue summary:Course profiles open to google even when forceloginforprofiles is enabled
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions
Versions fixed:2.4.2 and 2.4.3, 2.3.5 and 2.3.6,
Register to read more...

MSA-13-0011: Calendar subscription capability issue

by Michael de Raadt.  

...
Description:Users without appropriate capabilities were shown controls to update calendar subscriptions, even though the were not able to modify subscriptions.
Issue summary:Student should not be able to see the subscription which they cant manage
Severity/Risk:Minor
Versions affected:2.4 to 2.4.1
Versions fixed:2.4.2 and
Register to read more...

MSA-13-0018: Personal information leak through repositories

by Michael de Raadt.  

...
Description:Users able to use "login as" were able to see the personal repository content of the user they were impersonating
Issue summary:Admin users logged in as another user have access to the content of their external repositories
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier
Register to read more...

MSA-13-0016: External Entity Injection through Zend library

by Michael de Raadt.  

...
Description:Through the Zend library, clients of Moodle Web services were potentially able to reveal files on the server
Issue summary:Zend XmlRpc: Local file disclosure via XXE injection
Severity/Risk:Serious
Versions affected:2.4 to 2.4.1, 2.3 to 2.3.4, 2.2 to 2.2.7, earlier unsupported versions (2.x only)
Versions fixed:2.
Register to read more...