{"id":"MGASA-2016-0122","summary":"Updated moodle packages fix security vulnerability","details":"In Moodle before 2.8.11, teachers who otherwise were not supposed to see\nstudents' emails could see them in the participants list (CVE-2016-2151).\n\nIn Moodle before 2.8.11, Moodle traditionally trusted content from\nexternal DB, however it was decided that external datasources may not be\naware of web security practices and data could cause problems after\nimporting to Moodle (CVE-2016-2152).\n\nIn Moodle before 2.8.11, a user with higher permissions could be tricked\ninto clicking a link which would result in Reflected XSS in mod_data\nadvanced search (CVE-2016-2153).\n\nIn Moodle before 2.8.11, users without capability to view hidden courses\nbut with capability to subscribe to Event Monitor rules could see the\nnames of hidden courses (CVE-2016-2154).\n\nIn Moodle before 2.8.11, the Non-Editing Instructor role can edit the\nexclude checkbox in the Single View grade report (CVE-2016-2155).\n\nIn Moodle before 2.8.11, users without the capability to view hidden\nacitivites could still see associated calendar events via web services,\nvia the external function get_calendar_events (CVE-2016-2156).\n\nIn Moodle before 2.8.11, CSRF is possible on the Assignment plugin admin\npage, however an exploit is unlikely to benefit anybody and can easily be\nreversed (CVE-2016-2157).\n\nIn Moodle before 2.8.11, enumeration of course category details is\npossible without authentication (CVE-2016-2158).\n\nIn Moodle before 2.8.11, students were able to add assignment submissions\nafter the due date through web service, via the external function\nmod_assign_save_submission (CVE-2016-2159).\n\nIn Moodle before 2.8.11, when following external links that were added\nwith the _blank target, a referer header would be added (CVE-2016-2190).\n","modified":"2026-02-04T03:34:39.626290Z","published":"2016-03-25T06:38:37Z","related":["CVE-2016-2151","CVE-2016-2152","CVE-2016-2153","CVE-2016-2154","CVE-2016-2155","CVE-2016-2156","CVE-2016-2157","CVE-2016-2158","CVE-2016-2159","CVE-2016-2190"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0122.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18048"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330173"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330174"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330175"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330176"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330177"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330178"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330179"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330180"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330181"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=330182"},{"type":"REPORT","url":"https://docs.moodle.org/dev/Moodle_2.8.11_release_notes"},{"type":"REPORT","url":"https://moodle.org/mod/forum/discuss.php?d=329783"}],"affected":[{"package":{"name":"moodle","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/moodle?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.8.11-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0122.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}