MSA-13-0010: Failure to check capabilities in calendar

by Michael de Raadt.  

...
Description:Students were able to delete course level calendar subscriptions created by teachers.
Issue summary:

Student user able to Remove imported calendar from Manage Subscriptions

Severity/Risk:Minor
Versions affected:2.4
Reported by:David O'Brien
Issue no.:MDL-37106

CVE identifier:

CVE-2012-6106
Changes (master):http://git.m
Register to read more...

MSA-13-0009: Information leak through Blog RSS

by Michael de Raadt.  

...
Description:Blog posts were still accessible via the blog RSS feed, even after blogging was disabled globally.
Issue summary:

Blog posts still available via RSS even after the blogging is disabled

Severity/Risk:Minor
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+, 2.1 to 2.1.9+
Reported by:David Mudrak
Issue no.:MDL-37467

C

Register to read more...

MSA-13-0008: Information leak through Blog RSS

by Michael de Raadt.  

...
Description:Blog posts that were hidden from guest users in the Web interface were being included in the related RSS feed.
Issue summary:

Guest users can access RSS feed for site level blogs

Severity/Risk:Minor
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:Charles Fulton
Issue no.:MDL-36620

CVE identifier:

CVE-2
Register to read more...

MSA-13-0007: Potential exploit in messaging

by Michael de Raadt.  

...
Description:The messaging system was not checking the user's session correctly when messages are sent.
Issue summary:

Course message sending can be exploited by CSRF

Severity/Risk:Minor
Versions affected:2.4, 2.3 to 2.3.3+, 2.2 to 2.2.6+
Reported by:Andrew Nicols
Issue no.:MDL-36600

CVE identifier:

CVE-2012-6103
Changes (master):h
Register to read more...