[Secure-testing-team] Bug#703870: moodle: Multiple security issues	reported
    Salvatore Bonaccorso 
    carnil at debian.org
       
    Mon Mar 25 06:36:17 UTC 2013
    
    
  
Source: moodle
Severity: grave
Tags: security
Hi,
the following vulnerabilities were published for moodle.
CVE-2013-1829[0]:
Calendar subscription capability issue
(this seems not to affect moodle in Debian as versions affected are
reported as 2.4 to 2.4.1)
CVE-2013-1830[1]:
Information leak in course profiles
CVE-2013-1831[2]:
Server information revealed through exception messages
CVE-2013-1832[3]:
Password revealed in WebDav repository
CVE-2013-1833[4]:
Cross-site scripting issue in Filepicker
CVE-2012-3363[5]:
| Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before
| 1.12.0 does not properly handle SimpleXMLElement classes, which allows
| remote attackers to read arbitrary files or create TCP connections via
| an external entity reference in a DOCTYPE element in an XML-RPC
| request, aka an XML external entity (XXE) injection attack.
CVE-2013-1834[6]:
Form manipulation issue in notes
CVE-2013-1835[7]:
Personal information leak through repositories
CVE-2013-1836[8]:
Unauthorised settings editing through WebDav repository
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829
    http://security-tracker.debian.org/tracker/CVE-2013-1829
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830
    http://security-tracker.debian.org/tracker/CVE-2013-1830
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831
    http://security-tracker.debian.org/tracker/CVE-2013-1831
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832
    http://security-tracker.debian.org/tracker/CVE-2013-1832
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833
    http://security-tracker.debian.org/tracker/CVE-2013-1833
[5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363
    http://security-tracker.debian.org/tracker/CVE-2012-3363
[6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834
    http://security-tracker.debian.org/tracker/CVE-2013-1834
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835
    http://security-tracker.debian.org/tracker/CVE-2013-1835
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836
    http://security-tracker.debian.org/tracker/CVE-2013-1836
Please adjust the affected versions in the BTS as needed.
Thank you for your work!
Regards,
Salvatore
    
    
More information about the Secure-testing-team
mailing list