CVE-2014-7836
https://notcve.org/view.php?id=CVE-2014-7836
Multiple cross-site request forgery (CSRF) vulnerabilities in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allow remote attackers to hijack the authentication of arbitrary users for a (1) mod/lti/request_tool.php or (2) mod/lti/instructor_edit_tool_type.php request. Múltiples vulnerabilidades de CSRF en el módulo LTI en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permiten a atacantes remotos secuestrar la autenticación de usuarios arbitrarios para una solicitud (1) mod/lti/request_tool.php o (2) mod/lti/instructor_edit_tool_type.php. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275162 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-7834
https://notcve.org/view.php?id=CVE-2014-7834
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service. mod/forum/externallib.php en Moodle 2.6.x anterior a 2.6.6 y 2.7.x anterior a 2.7.3 no verifica permisos de grupos, lo que permite a usuarios remotos autenticados acceder a un foro a través del servicio web forum_get_discussions. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45303 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275159 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-7831
https://notcve.org/view.php?id=CVE-2014-7831
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service. lib/classes/grades_external.php en Moodle 2.7.x anterior a 2.7.3 no considera la funcionalidad moodle/grade:viewhidden antes de mostrar notas escondidas, lo que permite a usuarios remotos autenticados obtener información sensible mediante el aprovechamiento de la lista de estudiantes para acceder al servicio web get_grades. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47766 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275153 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2014-7845
https://notcve.org/view.php?id=CVE-2014-7845
The generate_password function in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not provide a sufficient number of possible temporary passwords, which allows remote attackers to obtain access via a brute-force attack. La función generate_password en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 no proporciona un número suficiente de contraseñas temporales posibles, lo que permite a atacantes remotos obtener el acceso a través de un ataque de fuerza bruta. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47050 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275152 • CWE-255: Credentials Management Errors •
CVE-2014-7830
https://notcve.org/view.php?id=CVE-2014-7830
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse capability to provide a searchcourse parameter. Vulnerabilidad de XSS en mod/feedback/mapcourse.php en el módulo Feedback en Moodle hasta 2.4.11, 2.5.x anterior a 2.5.9, 2.6.x anterior a 2.6.6, y 2.7.x anterior a 2.7.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios mediante el aprovechamiento de la funcionalidad mod/feedback:mapcourse para proporcionar un parámetro searchcourse. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47865 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securityfocus.com/bid/71119 http://www.securitytracker.com/id/1031215 https://moodle.org/mod/forum/discuss.php?d=275147 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •