CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
EPSS
Percentile
80.6%
Updated moodle package fixes security vulnerabilities: In Moodle before 2.6.3, Session checking was not being performed correctly in Assignment’s quick-grading, allowing forged requests to be made unknowingly by authenticated users (CVE-2014-0213). In Moodle before 2.6.3, MoodleMobile web service tokens, created automatically in login/token.php, were not expiring and were valid forever (CVE-2014-0214). In Moodle before 2.6.3, Some student details, including identities, were included in assignment marking pages and would have been revealed to screen readers or through code inspection (CVE-2014-0215). In Moodle before 2.6.3, Access to files linked on HTML blocks on the My home page was not being checked in the correct context, allowing access to unauthenticated users (CVE-2014-0216). In Moodle before 2.6.3, There was a lack of filtering in the URL downloader repository that could have been exploited for XSS (CVE-2014-0218). The 2.4 branch of Moodle will no longer be supported as of approximately June 2014, so the Moodle package has been upgraded to version 2.6.3 to fix these issues.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 3 | noarch | moodle | < 2.6.3-1 | moodle-2.6.3-1.mga3 |
Mageia | 4 | noarch | moodle | < 2.6.3-1 | moodle-2.6.3-1.mga4 |
docs.moodle.org/dev/Moodle_2.4.10_release_notes
docs.moodle.org/dev/Moodle_2.6.3_release_notes
bugs.mageia.org/show_bug.cgi?id=13369
moodle.org/mod/forum/discuss.php?d=260361
moodle.org/mod/forum/discuss.php?d=260362
moodle.org/mod/forum/discuss.php?d=260363
moodle.org/mod/forum/discuss.php?d=260364
moodle.org/mod/forum/discuss.php?d=260366