CVE-2013-2242
https://notcve.org/view.php?id=CVE-2013-2242
mod/chat/gui_sockets/index.php in Moodle through 2.1.10, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, and 2.5.x before 2.5.1 does not consider the mod/chat:chat capability before authorizing daemon-mode chat, which allows remote authenticated users to bypass intended access restrictions via an HTTP session to a chat server. mod/chat/gui_sockets/index.php en Moodle desde 2.1.10, 2.2.x anterior a 2.2.11, 2.3.x anterior a 2.3.8, 2.4.x anterior a 2.4.5, y 2.5.x anterior a 2.5.1, no considera la capacidad mod/chat:chat antes de la autorización del chat en daemon-mode, lo que permite a usuarios autenticados remotamente evitar las restricciones de acceso establecidas mediante una sesión HTTP al servidor de chat. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-39628 https://moodle.org/mod/forum/discuss.php?d=232498 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-2081
https://notcve.org/view.php?id=CVE-2013-2081
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not consider "don't send" attributes during hub registration, which allows remote hubs to obtain sensitive site information by reading form data. Moodle hasta v2.1.10, v2.2.x hasta v2.2.10, v2.3.x hasta v2.3.7, y v2.4.x hasta v2.4.4 no considera los atributos "no enviar" el registro de centros, lo que permite a los centros remotos obtener información sensible del sitio mediante la lectura de los datos del formulario. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37822 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228933 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-2080
https://notcve.org/view.php?id=CVE-2013-2080
The core_grade component in Moodle through 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly consider the existence of hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role and reading the Gradebook Overview report. El componente core_grade en Moodle hasta v2.1.10, v2.2.x hasta v2.2.10, v2.3.x hasta v2.3.7, y v2.4.x hasta v2.4.4, no tiene en cuenta adecuadamente la existencia de grados ocultos, que permite a los usuarios autenticados remotos obtener información sensible mediante el aprovechamiento del papel del estudiante y la lectura del informe de Gradebook Overview • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37475 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228931 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-2079
https://notcve.org/view.php?id=CVE-2013-2079
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role. mod/assign/locallib.php en el módulo de asignaciones en Moodle v2.3.x antes de v2.3.7 y v2.4.x antes de v2.4.4, no tiene en cuenta los requisitos de capacidad durante el trámite de asignación de archivado ZIP y solicitudes de descarga (alias downloadall), lo que permite a usuarios remotos autenticados leer las asignaciones de otros usuarios aprovechando el rol de estudiante. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228930 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-2083
https://notcve.org/view.php?id=CVE-2013-2083
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. La clase MoodleQuickForm en lib/formslib.php en Moodle hasta v2.1.10, v2.2.x antes de v2.2.10, v2.3.x antes de v2.3.7, y v2.4.x antes de v2.4.4 no maneja adecuadamente una sintaxis de matrices de elementos determinados, lo que permite a atacantes remotos evitar filtrados form-data a través de una solicitud manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228935 • CWE-20: Improper Input Validation •