Moodle 2.3.x < 2.3.10 / 2.4.x < 2.4.7 / 2.5.x < 2.5.3 Multiple Vulnerabilities

The remote web server hosts Moodle, an open-source course management system. Versions of Moodle 2.3.x prior to 2.3.10, 2.4.x prior to 2.4.7 or 2.5.x prior to 2.5.3 are exposed to the following vulnerabilities :

• A flaw exists that is due to the server delivering some files with incorrect headers, which can result in the files being improperly cached on the user’s machine, potentially allowing a local attacker to gain access to them. (CVE-2013-4522)
• A flaw exists in the messaging functionality that allows a cross-site scripting (XSS) attack. This flaw exists because the application does not validate the message text upon submission to the ‘message/lib.php’ script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between the browser and the server. (CVE-2013-4523)
• A flaw exists in the ‘repository/filesystem/lib.php’ script in the file system repository that may result in attackers being granted read access to the entire file system, rather than just the Moodle file area. (CVE-2013-4524)
• A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the application does not validate input passed via quiz question answers upon submission to the ‘mod/quiz/report/responses/responses_table.php’ script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between the browser and the server. (CVE-2013-4525)