DSA-2421-1 moodle -- severalID: oval:org.secpod.oval:def:600744 | Date: (C)2012-03-02 (M)2023-02-20 |
Class: PATCH | Family: unix |
Several security issues have been fixed in Moodle, a course management system for online learning: CVE-2011-4308 / CVE-2012-0792 Rossiani Wijaya discovered an information leak in mod/forum/user.php CVE-2011-4584 MNET authentication didn"t prevent a user using "Login As" from jumping to a remove MNET SSO. CVE-2011-4585 Darragh Enright discovered that the change password form was send in over plain HTTP even if httpslogin was set to "true". CVE-2011-4586 David Michael Evans and German Sanchez Gances discovered CRLF injection/HTTP response splitting vulnerabilities in the Calendar module. CVE-2011-4587 Stephen Mc Guiness discovered empty passwords could be entered in some circumstances. CVE-2011-4588 Patrick McNeill that IP address restrictions could be bypassed in MNET. CVE-2012-0796 Simon Coggins discovered that additional information could be injected into mail headers. CVE-2012-0795 John Ehringer discovered that email adresses were insufficiently validated. CVE-2012-0794 Rajesh Taneja discovered that cookie encryption used a fixed key. CVE-2012-0793 Eloy Lafuente discovered that profile images were insufficiently protected. A new configuration option "forceloginforprofileimages" was introduced for that.