Mailinglist Archive: opensuse-bugs (4246 mails)

< Previous Next >
[Bug 1021046] New: VUL-0: CVE-2017-2576,CVE-2017-2578: moodle: multiple vulnerabilities
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Fri, 20 Jan 2017 08:40:44 +0000
  • Message-id: <bug-1021046-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1021046


Bug ID: 1021046
Summary: VUL-0: CVE-2017-2576,CVE-2017-2578: moodle: multiple
vulnerabilities
Classification: openSUSE
Product: openSUSE.org
Version: unspecified
Hardware: Other
OS: Other
Status: NEW
Severity: Normal
Priority: P5 - None
Component: 3rd party software
Assignee: opensuse-communityscreening@xxxxxxxxxxxxxxxxxxxxxx
Reporter: astieger@xxxxxxxx
QA Contact: security-team@xxxxxxx
CC: lars.vogdt@xxxxxxxx, security-team@xxxxxxx
Found By: Security Response Team
Blocker: ---

https://moodle.org/mod/forum/discuss.php?d=345911
MSA-17-0001: System file inclusion when adding own preset file in Boost theme

Description: HTML injection with potential XSS attack was possible by
modifying URL for assignment submission and tricking another user into
following it
Issue summary: XSS in assignment submission page
Severity/Risk: Minor
Versions affected: 3.2 and 3.1 to 3.1.3
Versions fixed: 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a
precaution)
Reported by: Ago Luberg and Wael AbuSeada
Issue no.: MDL-57580
CVE identifier: CVE-2017-2578
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580


https://moodle.org/mod/forum/discuss.php?d=345912
MSA-17-0002: Incorrect sanitation of attributes in forums
Description: Forum post author can change too many fields when editing the
post
Issue summary: Incorrect sanitation of attributes
Severity/Risk: Minor
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to
2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Anshul Jain
Issue no.: MDL-56225
CVE identifier: CVE-2017-2576
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225


https://moodle.org/mod/forum/discuss.php?d=345914
MSA-17-0003: PHPMailer vulnerability in no-reply address
Description: Security vulnerability was reported against PHPMailer, third
party library used by Moodle. As a result Moodle improved validation of
no-reply address (that can only be configured by admin), all other fields were
already properly sanitized. This issue only affect sites that leave
$CFG->smtphosts empty.
Issue summary: Address the vulnerabilities in recent PHPMailer 5.2.x
Severity/Risk: Serious
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to
2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Matteo Scaramuccia
Issue no.: MDL-57531
Workaround: Define $CFG->noreplyaddress and $CFG->supportemail in
config.php
CVE identifier: CVE-2016-10045 (PHPMailer)
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57531


https://moodle.org/mod/forum/discuss.php?d=345915
Description: HTML injection with potential XSS attack was possible by
modifying URL for assignment submission and tricking another user into
following it
Issue summary: XSS in assignment submission page
Severity/Risk: Minor
Versions affected: 3.2 and 3.1 to 3.1.3
Versions fixed: 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a
precaution)
Reported by: Ago Luberg and Wael AbuSeada
Issue no.: MDL-57580
CVE identifier: CVE-2017-2578
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >
This Thread
  • No further messages