CVE-2013-2079
https://notcve.org/view.php?id=CVE-2013-2079
mod/assign/locallib.php in the assignment module in Moodle 2.3.x before 2.3.7 and 2.4.x before 2.4.4 does not consider capability requirements during the processing of ZIP assignment-archive download (aka downloadall) requests, which allows remote authenticated users to read other users' assignments by leveraging the student role. mod/assign/locallib.php en el módulo de asignaciones en Moodle v2.3.x antes de v2.3.7 y v2.4.x antes de v2.4.4, no tiene en cuenta los requisitos de capacidad durante el trámite de asignación de archivado ZIP y solicitudes de descarga (alias downloadall), lo que permite a usuarios remotos autenticados leer las asignaciones de otros usuarios aprovechando el rol de estudiante. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38443 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228930 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-2083
https://notcve.org/view.php?id=CVE-2013-2083
The MoodleQuickForm class in lib/formslib.php in Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not properly handle a certain array-element syntax, which allows remote attackers to bypass intended form-data filtering via a crafted request. La clase MoodleQuickForm en lib/formslib.php en Moodle hasta v2.1.10, v2.2.x antes de v2.2.10, v2.3.x antes de v2.3.7, y v2.4.x antes de v2.4.4 no maneja adecuadamente una sintaxis de matrices de elementos determinados, lo que permite a atacantes remotos evitar filtrados form-data a través de una solicitud manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38885 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228935 • CWE-20: Improper Input Validation •
CVE-2013-2082
https://notcve.org/view.php?id=CVE-2013-2082
Moodle through 2.1.10, 2.2.x before 2.2.10, 2.3.x before 2.3.7, and 2.4.x before 2.4.4 does not enforce capability requirements for reading blog comments, which allows remote attackers to obtain sensitive information via a crafted request. Moodle hasta v2.1.10, v2.2.x hasta v2.2.10, v2.3.x hasta v2.3.7, y v2.4.x hasta v2.4.4 no cumple los requisitos de capacidad para la lectura de los comentarios del blog, lo que permite a atacantes remotos obtener información sensible a través de una solicitud manipulada. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37245 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106965.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106988.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107026.html http://openwall.com/lists/oss-security/2013/05/21/1 https://moodle.org/mod/forum/discuss.php?d=228934 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-1834
https://notcve.org/view.php?id=CVE-2013-1834
notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows remote authenticated users to reassign notes via a modified (1) userid or (2) courseid field. notes/edit.php de Moodle v1.9.x hasta v1.9.19, v2.x hasta v2.1.10, v2.2.x hasta v2.2.8, v2.3.x anterior a v2.3.5, y v2.4.x anterior a v2.4.2 permite a usuarios remotamente autenticados asignar notas a través de modificaciones en (1) el campo userid ó (2) en el campo courseid. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411 http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html http://openwall.com/lists/oss-security/2013/03/25/2 https://moodle.org/mod/forum/discuss.php?d=225346 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-1830
https://notcve.org/view.php?id=CVE-2013-1830
user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 does not enforce the forceloginforprofiles setting, which allows remote attackers to obtain sensitive course-profile information by leveraging the guest role, as demonstrated by a Google search. user/view.php en Moodle hasta v2.1.10, v2.2.x anterior a v2.2.8, v2.3.x anterior a v2.3.5, y v2.4.x anterior a 2.4.2 no aplica el ajuste forceloginforprofiles, que permite a atacantes remotos obtener información del perfil del curso aprovechando el rol de invitado, como lo demuestra una búsqueda en Google. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481 http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101310.html http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101358.html http://openwall.com/lists/oss-security/2013/03/25/2 https://moodle.org/mod/forum/discuss.php?d=225341 • CWE-264: Permissions, Privileges, and Access Controls •