{"id":"MGASA-2014-0308","summary":"Updated moodle package fixes security vulnerabilities","details":"In Moodle before 2.6.4, serialised data passed by repositories could\npotentially contain objects defined by add-ons that could include executable\ncode (CVE-2014-3541).\n\nIn Moodle before 2.6.4, it was possible for manipulated XML files passed from\nLTI servers to be interpreted by Moodle to allow access to server-side files\n(CVE-2014-3542).\n\nIn Moodle before 2.6.4, it was possible for manipulated XML files to be\nuploaded to the IMSCC course format or the IMSCP resource to allow access to\nserver-side files (CVE-2014-3543).\n\nIn Moodle before 2.6.4, filtering of the Skype profile field was not removing\npotentially harmful code (CVE-2014-3544).\n\nIn Moodle before 2.6.4, it was possible to inject code into Calculated\nquestions that would be executed on the server (CVE-2014-3545).\n\nIn Moodle before 2.6.4, it was possible to get limited user information,\nsuch as user name and courses, by manipulating the URL of profile and notes\npages (CVE-2014-3546).\n\nIn Moodle before 2.6.4, the details of badges from external sources were not\nbeing filtered (CVE-2014-3547).\n\nIn Moodle before 2.6.4, content of exception dialogues presented from AJAX\ncalls was not being escaped before being presented to users (CVE-2014-3548).\n\nIn Moodle before 2.6.4, fields in rubrics were not being correctly filtered\n(CVE-2014-3551).\n\nIn Moodle before 2.6.4, forum was allowing users who were members of more\nthan one group to post to all groups without the capability to access all\ngroups (CVE-2014-3553).\n\nThe moodle package has been updated to version 2.6.4, to fix these issues\nand other bugs.\n","modified":"2026-04-16T06:24:39.334873342Z","published":"2014-08-05T20:08:48Z","upstream":["CVE-2014-3541","CVE-2014-3542","CVE-2014-3543","CVE-2014-3544","CVE-2014-3545","CVE-2014-3546","CVE-2014-3547","CVE-2014-3548","CVE-2014-3551","CVE-2014-3553"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0308.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=13759"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264262"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264263"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264264"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264265"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264266"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264267"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264268"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264269"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264270"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=264273"},{"type":"WEB","url":"http://docs.moodle.org/dev/Moodle_2.6.4_release_notes"}],"affected":[{"package":{"name":"moodle","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/moodle?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.6.4-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0308.json"}},{"package":{"name":"moodle","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/moodle?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.6.4-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0308.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}