Some security issues and multiple vulnerabilities have been reported in Moodle, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, disclose potentially sensitive information, and conduct SQL injection attacks.

1) The application does not properly validate references when shortcuts or aliases are not permitted and can be exploited to e.g. bypass file size restrictions.

This security issue is reported in version 2.3.

2) An error when verifying capabilities of cached users in the "is_enrolled()" function (lib/accesslib.php) can be exploited to bypass certain security restrictions.

3) Certain input passed to the LTI (External tool) module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities #2 and #3 are reported in versions 2.2 through 2.2.3+ and 2.3.

4) The application does not properly restrict access to files embedded in a block (e.g. HTML block) and can be exploited to access otherwise restricted files.

5) An error when handling Q&A forum posts via RSS feeds can be exploited to disclose otherwise restricted information.

6) An error when verifying capabilities in forum subscriptions can be exploited to unsubscribe from unsubscription restricted forums.

The vulnerabilities #4 through #6 are reported in versions 2.1 through 2.1.6+ and 2.2 through 2.2.3+.

7) An error when handling redirections during the login process via LDAP can lead to a redirection from the HTTPS to the HTTP protocol.

8) Certain input passed to the administration of cohorts is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

9) An error when handling "Restrict Access" conditions can be exploited to display a group restricted activity.

The vulnerabilities #7 through #9 are reported in versions 2.0 through 2.0.9+, 2.1 through 2.1.6+, 2.2 through 2.2.3+, and 2.3.

10) Certain input passed via the Feedback module is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

This vulnerability is reported in versions 2.0 through 2.0.9+, 2.1 through 2.1.6+, and 2.2 through 2.2.3+.

Solution
Update to version 2.0.10, 2.1.7, 2.2.4, or 2.3.1.

Provided and/or discovered by
The vendor credits:
1) Petr Škoda
2, 5) Andrew Nicols
3) Dan Poltawski
4) Juan Leyva
6) Andrew Davis
7) Christophe
8) Eugene
9) Luke Tucker
10) Dan Marsden

Original Advisory
Moodle (MSA-12-0039, MSA-12-0040, MSA-12-0041, MSA-12-0042, MSA-12-0043, MSA-12-0044, MSA-12-0046, MSA-12-0047, MSA-12-0048, MSA-12-0049):
http://moodle.org/mod/forum/discuss.php?d=207145
http://moodle.org/mod/forum/discuss.php?d=207146
http://moodle.org/mod/forum/discuss.php?d=207147
http://moodle.org/mod/forum/discuss.php?d=207148
http://moodle.org/mod/forum/discuss.php?d=207149
http://moodle.org/mod/forum/discuss.php?d=207150
http://moodle.org/mod/forum/discuss.php?d=207152
http://moodle.org/mod/forum/discuss.php?d=207153
http://moodle.org/mod/forum/discuss.php?d=207154
http://moodle.org/mod/forum/discuss.php?d=207155

Deep Links
Links available to Secunia VIM customers