{"id":"MGASA-2015-0229","summary":"Updated moodle packages fix security vulnerabilities","details":"Updated moodle package fixes security vulnerabilities:\n\nIn Moodle before 2.6.11, leaving gradebook feedback is a trusted action and\nsuch capabilities in other modules already have an XSS mask, 'mod/quiz:grade'\nwas missing this flag (CVE-2015-3174).\n\nIn Moodle before 2.6.11, some error messages display a button to return to\nthe previous page. Redirecting to non-local referer should not be allowed as\nit can potentially be used for phising (CVE-2015-3175).\n\nIn Moodle before 2.6.11, on sites with enabled self-registration, not\nregistered users can retrieve fullname of registered users if they know their\nusernames (CVE-2015-3176).\n\nIn Moodle before 2.6.11, if a user who is not XSS-trusted attempts to insert\na script as part of the input text, it will be cleaned when displayed on the\nMoodle website but may be displayed uncleaned in the external application\nbecause external_format_text() cleans and formats text incorrectly when\nreturning it from Web Services (CVE-2015-3178).\n\nIn Moodle before 2.6.11, when self-registration is enabled and a user's\naccount was suspended after creating the account but before actually\nconfirming it, the user is still able to login when confirming their email,\nbut only once (CVE-2015-3179).\n\nIn Moodle before 2.6.11, if a user is enrolled in the course but his\nenrollment is suspended, they can not access the course but still were able\nto see the course structure in the navigation block (CVE-2015-3180).\n\nIn Moodle before 2.6.11, users with the revoked capability\n'moodle/user:manageownfiles' are still able to upload private files using a\ndeprecated function in Web Services (CVE-2015-3181).\n","modified":"2026-04-16T06:23:41.341038785Z","published":"2015-05-18T19:08:05Z","upstream":["CVE-2015-3174","CVE-2015-3175","CVE-2015-3176","CVE-2015-3178","CVE-2015-3179","CVE-2015-3180","CVE-2015-3181"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0229.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15909"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313681"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313682"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313683"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313685"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313686"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313687"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313688"},{"type":"WEB","url":"https://docs.moodle.org/dev/Moodle_2.6.11_release_notes"},{"type":"WEB","url":"https://moodle.org/mod/forum/discuss.php?d=313322"}],"affected":[{"package":{"name":"moodle","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/moodle?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.6.11-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0229.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}