Source: moodle Severity: grave Tags: security Hi,
the following vulnerabilities were published for moodle. CVE-2013-1829[0]: Calendar subscription capability issue (this seems not to affect moodle in Debian as versions affected are reported as 2.4 to 2.4.1) CVE-2013-1830[1]: Information leak in course profiles CVE-2013-1831[2]: Server information revealed through exception messages CVE-2013-1832[3]: Password revealed in WebDav repository CVE-2013-1833[4]: Cross-site scripting issue in Filepicker CVE-2012-3363[5]: | Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before | 1.12.0 does not properly handle SimpleXMLElement classes, which allows | remote attackers to read arbitrary files or create TCP connections via | an external entity reference in a DOCTYPE element in an XML-RPC | request, aka an XML external entity (XXE) injection attack. CVE-2013-1834[6]: Form manipulation issue in notes CVE-2013-1835[7]: Personal information leak through repositories CVE-2013-1836[8]: Unauthorised settings editing through WebDav repository If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829 http://security-tracker.debian.org/tracker/CVE-2013-1829 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830 http://security-tracker.debian.org/tracker/CVE-2013-1830 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831 http://security-tracker.debian.org/tracker/CVE-2013-1831 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832 http://security-tracker.debian.org/tracker/CVE-2013-1832 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833 http://security-tracker.debian.org/tracker/CVE-2013-1833 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 http://security-tracker.debian.org/tracker/CVE-2012-3363 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834 http://security-tracker.debian.org/tracker/CVE-2013-1834 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835 http://security-tracker.debian.org/tracker/CVE-2013-1835 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836 http://security-tracker.debian.org/tracker/CVE-2013-1836 Please adjust the affected versions in the BTS as needed. Thank you for your work! Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
