SB2012091703 - Fedora EPEL 6 update for moodle
Published: September 17, 2012 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4400)
The vulnerability allows a remote #AU# to manipulate data.
repository/repository_ajax.php in Moodle 2.2.x before 2.2.5 and 2.3.x before 2.3.2 allows remote authenticated users to bypass intended upload-size restrictions via a -1 value in the maxbytes field.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4408)
The vulnerability allows a remote #AU# to read and manipulate data.
course/reset.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 checks an update capability instead of a reset capability, which allows remote authenticated users to bypass intended access restrictions via a reset operation.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4402)
The vulnerability allows a remote #AU# to read and manipulate data.
webservice/lib.php in Moodle 2.1.x before 2.1.8, 2.2.x before 2.2.5, and 2.3.x before 2.3.2 does not properly restrict the use of web-service tokens, which allows remote authenticated users to run arbitrary external-service functions via a token intended for only one service.
4) Information disclosure (CVE-ID: CVE-2012-4403)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
theme/yui_combo.php in Moodle 2.3.x before 2.3.2 does not properly construct error responses for the drag-and-drop script, which allows remote attackers to obtain the installation path by sending a request for a nonexistent resource and then reading the response.
Remediation
Install update from vendor's website.