[VIM] [CVENEW] New CVE CANs: 2013/03/25 17:00 ; count=8

coley at mitre.org coley at mitre.org
Mon Mar 25 16:04:27 CDT 2013 

======================================================
Name: CVE-2013-1829
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1829
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37338
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225339

calendar/managesubscriptions.php in Moodle 2.4.x before 2.4.2 does not
consider capability requirements before displaying calendar
subscriptions, which allows remote authenticated users to obtain
potentially sensitive information by leveraging the student role.



======================================================
Name: CVE-2013-1830
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1830
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37481
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225341

user/view.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x
before 2.3.5, and 2.4.x before 2.4.2 does not enforce the
forceloginforprofiles setting, which allows remote attackers to obtain
sensitive course-profile information by leveraging the guest role, as
demonstrated by a Google search.



======================================================
Name: CVE-2013-1831
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1831
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36901
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225342

lib/setuplib.php in Moodle through 2.1.10, 2.2.x before 2.2.8, 2.3.x
before 2.3.5, and 2.4.x before 2.4.2 allows remote attackers to obtain
sensitive information via an invalid request, which reveals the
absolute path in an exception message.



======================================================
Name: CVE-2013-1832
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1832
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37681
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225343

repository/webdav/lib.php in Moodle 2.x through 2.1.10, 2.2.x before
2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 includes the WebDAV
password in the configuration form, which allows remote authenticated
administrators to obtain sensitive information by configuring an
instance.



======================================================
Name: CVE-2013-1833
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1833
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37507
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225344

Multiple cross-site scripting (XSS) vulnerabilities in the File Picker
module in Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before
2.3.5, and 2.4.x before 2.4.2 allow remote authenticated users to
inject arbitrary web script or HTML via a crafted filename.



======================================================
Name: CVE-2013-1834
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1834
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37411
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225346

notes/edit.php in Moodle 1.9.x through 1.9.19, 2.x through 2.1.10,
2.2.x before 2.2.8, 2.3.x before 2.3.5, and 2.4.x before 2.4.2 allows
remote authenticated users to reassign notes via a modified (1) userid
or (2) courseid field.



======================================================
Name: CVE-2013-1835
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1835
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36426
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225347

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and
2.4.x before 2.4.2 allows remote authenticated administrators to
obtain sensitive information from the external repositories of
arbitrary users by leveraging the login_as feature.



======================================================
Name: CVE-2013-1836
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1836
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130219
Category: 
Reference: MLIST:[oss-security] 20130325 Moodle security notifications public
Reference: URL:http://openwall.com/lists/oss-security/2013/03/25/2
Reference: CONFIRM:http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-37852
Reference: CONFIRM:https://moodle.org/mod/forum/discuss.php?d=225348

Moodle 2.x through 2.1.10, 2.2.x before 2.2.8, 2.3.x before 2.3.5, and
2.4.x before 2.4.2 does not properly manage privileges for WebDAV
repositories, which allows remote authenticated users to read, modify,
or delete arbitrary site-wide repositories by leveraging certain read
access.

More information about the VIM mailing list