DSA-1691-1

Details

Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2007-3555 CVE-2008-1502 CVE-2008-3325 CVE-2008-3326 CVE-2008-4796 CVE-2008-4810 CVE-2008-4811 CVE-2008-5432 Debian Bugs : 432264 471158 489533 492492 504235 504345 508593

Several remote vulnerabilities have been discovered in Moodle, an online course management system. The following issues are addressed in this update, ranging from cross site scripting to remote code execution.

Various cross site scripting issues in the Moodle codebase (CVE-2008-3326, CVE-2008-3325, CVE-2007-3555, CVE-2008-5432, MSA-08-0021, MDL-8849, MDL-12793, MDL-11414, MDL-14806, MDL-10276).

Various cross site request forgery issues in the Moodle codebase (CVE-2008-3325, MSA-08-0023).

Privilege escalation bugs in the Moodle codebase (MSA-08-0001, MDL-7755).

SQL injection issue in the hotpot module (MSA-08-0010).

An embedded copy of Smarty had several vulnerabilities (CVE-2008-4811, CVE-2008-4810). An embedded copy of Snoopy was vulnerable to cross site scripting (CVE-2008-4796). An embedded copy of Kses was vulnerable to cross site scripting (CVE-2008-1502).

Affected Packages

moodle

Debian 4

Fixed in:

1.6.3-2+etch1

References

ADVISORY

https://security-tracker.debian.org/tracker/DSA-1691-1