Test ID:	1.3.6.1.4.1.25623.1.1.10.2014.0483
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2014-0483)
Summary:	The remote host is missing an update for the 'moodle' package(s) announced via the MGASA-2014-0483 advisory.
Description:	Summary: The remote host is missing an update for the 'moodle' package(s) announced via the MGASA-2014-0483 advisory. Vulnerability Insight: In Moodle before 2.6.5, without forcing encoding, it was possible that UTF7 characters could be used to force cross-site scripts to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages) (MSA-14-0035). In Moodle before 2.6.5, an XSS issue through $searchcourse in mod/feedback/mapcourse.php, due to the last search string in the Feedback module not being escaped in the search input field (CVE-2014-7830). In Moodle before 2.6.5, the word list for temporary password generation was short, therefore the pool of possible passwords was not big enough (CVE-2014-7845). In Moodle before 2.6.5, capability checks in the LTI module only checked access to the course and not to the activity (CVE-2014-7832). In Moodle before 2.6.5, group-level entries in Database activity module became visible to users in other groups after being edited by a teacher (CVE-2014-7833). In Moodle before 2.6.5, unprivileged users could access the list of available tags in the system (CVE-2014-7846). In Moodle before 2.6.5, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties (CVE-2014-7847). In Moodle before 2.6.5, when using the web service function for Forum discussions, group permissions were not checked (CVE-2014-7834). In Moodle before 2.6.5, by directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install (CVE-2014-7848). In Moodle before 2.6.5, if web service with file upload function was available, user could upload XSS file to his profile picture area (CVE-2014-7835). In Moodle before 2.6.5, two files in the LTI module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7836). In Moodle before 2.6.5, by tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course (CVE-2014-7837). In Moodle before 2.6.5, set tracking script in the Forum module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7838). In Moodle before 2.6.5, session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string (MSA-14-0049). Affected Software/OS: 'moodle' package(s) on Mageia 3, Mageia 4. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-7830 BugTraq ID: 71119 http://www.securityfocus.com/bid/71119 http://openwall.com/lists/oss-security/2014/11/17/11 http://www.securitytracker.com/id/1031215 Common Vulnerability Exposure (CVE) ID: CVE-2014-7832 Common Vulnerability Exposure (CVE) ID: CVE-2014-7833 Common Vulnerability Exposure (CVE) ID: CVE-2014-7834 Common Vulnerability Exposure (CVE) ID: CVE-2014-7835 Common Vulnerability Exposure (CVE) ID: CVE-2014-7836 Common Vulnerability Exposure (CVE) ID: CVE-2014-7837 Common Vulnerability Exposure (CVE) ID: CVE-2014-7838 Common Vulnerability Exposure (CVE) ID: CVE-2014-7845 Common Vulnerability Exposure (CVE) ID: CVE-2014-7846 Common Vulnerability Exposure (CVE) ID: CVE-2014-7847 Common Vulnerability Exposure (CVE) ID: CVE-2014-7848
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.