CVE-2012-6099
https://notcve.org/view.php?id=CVE-2012-6099
The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. El convertidor de copia de seguridad "moodle1" en backup/converter/moodle1/lib.php de Moodle v2.1.x anterior a v2.1.10, v2.2.x anterior a v2.2.7, v2.3.x anterior a v2.3.4, y v2.4.x anterior a v2.4.1 no valida correctamente las rutas, lo que permite a usuarios remotos autentificados leer ficheros arbitrarios aprovechándose de la funcionalidad de restauración de copias de seguridad. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977 http://openwall.com/lists/oss-security/2013/01/21/1 https://moodle.org/mod/forum/discuss.php?d=220160 • CWE-20: Improper Input Validation •
CVE-2012-6098
https://notcve.org/view.php?id=CVE-2012-6098
grade/edit/outcome/edit_form.php in Moodle 1.9.x through 1.9.19, 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly enforce the moodle/grade:manage capability requirement, which allows remote authenticated users to convert custom outcomes into standard site-wide outcomes by leveraging the teacher role and using the re-editing feature. grade/edit/outcome/edit_form.php en Moodle v1.9.x a la v1.9.19, 2.1.x anterior a v2.1.10, v2.2.x anterior a v2.2.7, v2.3.x anterior a v2.3.4, y v2.4.x anterior a v2.4.1 no maneja adecuadamente los requisitos "moodle/grade:manage capability", lo que permite a usuarios remotos autentificados convertir los resultados personalizados en el estándar de todo el sitio mediante el aprovechamiento de los resultados del rol de profesor y utilizando la funcionalidad de reeditar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27619 http://openwall.com/lists/oss-security/2013/01/21/1 https://moodle.org/mod/forum/discuss.php?d=220158 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-6104
https://notcve.org/view.php?id=CVE-2012-6104
blog/rsslib.php in Moodle 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 allows remote attackers to obtain sensitive information from site-level blogs by leveraging the guest role and reading an RSS feed. blog/rsslib.php en Moodle v2.2.x antes de v2.2.7, v2.3.x antes de v2.3.4, v2.4.1 y antes de v2.4.x , permite a atacantes remotos obtener información sensible de los blogs a nivel de sitio, aprovechando el papel de la huésped y de la lectura un feed RSS. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36620 http://openwall.com/lists/oss-security/2013/01/21/1 https://moodle.org/mod/forum/discuss.php?d=220165 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2012-6106
https://notcve.org/view.php?id=CVE-2012-6106
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object. calendar/managesubscriptions.php en Manage Subscriptions implementation in Moodle 2.4.x antes de v2.4.1 omite una comprobacion de capacidad, que permite a usuarios remotos autenticados para eliminar a nivel de curso suscripciones a calendarios al aprovechar el papel del estudiante y el envío de un objeto iCalendar. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37106 http://openwall.com/lists/oss-security/2013/01/21/1 https://moodle.org/mod/forum/discuss.php?d=220167 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-6105
https://notcve.org/view.php?id=CVE-2012-6105
blog/rsslib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 continues to provide a blog RSS feed after blogging is disabled, which allows remote attackers to obtain sensitive information by reading this feed. blog/rsslib.php en Moodle v2.1.x antes de v2.1.10, v2.2.x antes de v2.2.7, v2.3.x antes de v2.3.4, v2.4.x antes de v2.4.1 que continúa proporcionando un canal de blog RSS después de blogging se desactive , que permite a atacantes remotos obtener información sensible mediante la lectura de este feed. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37467 http://openwall.com/lists/oss-security/2013/01/21/1 https://moodle.org/mod/forum/discuss.php?d=220166 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •