[Secure-testing-team] Bug#668411: CVE-2012-1155: MSA-12-0013: Database activity export permission issue
Moritz Muehlenhoff
jmm at debian.org
Wed Apr 11 17:07:32 UTC 2012
Package: moodle
Severity: important
Tags: security
Out of the new Moodle security issues, only MSA-12-0013 affects sid and Squeeze:
MSA-12-0013: Database activity export permission issue
CVE-2012-1155
Topic: database activity module entries exporting does
not respect separate groups
Severity/Risk: Minor
Versions affected: 2.2 to 2.2.1+, 2.1 to 2.1.4+, 2.0 to 2.0.7+,
1.9 to 1.9.16+
Reported by: Fr??d??ric Hoogstoel
Workaround: Disable database content export for students
Issue no.: MDL-25185
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-25185
Description:
The export function of the database activity module was exporting all
entries, including those from groups the user is a not member of.
This issue doesn't warrant a DSA, but you could still fix it through a
point update.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list