MGASA-2014-0160

Updated moodle package fixes security vulnerabilities:

In Moodle before 2.4.9, question strings were not being filtered correctly possibly allowing cross site scripting, as quizquestiontostring can cause invalid HTML (CVE-2014-2571).

Feedback Availability dates not honored in complete.php in Moodle before 2.4.9, therefore it was possible to start a Feedback activity while it was supposed to be closed (CVE-2014-0127).

Broken access control vulnerability in Moodle before 2.4.9 with /mod/chat/chat_ajax.php, where capabilities to chat were being checked at the start of a chat, but not during, so changes were not effective immediately (CVE-2014-0122).

In Moodle before 2.4.9, there were missing access checks on Wiki pages allowing students to see pages of other students' individual wikis, through the Recent activity block (CVE-2014-0123).

In Moodle before 2.4.9, cross site scripting was possible with Flowplayer (CVE-2013-7341).

In Moodle before 2.4.9, Forum and Quiz were showing users' email addresses when settings were supposed to be preventing this (CVE-2014-0124).

In Moodle before 2.4.9, alias links to items in an Alfresco repository were provided with information that would allow someone to impersonate the file owner in Alfresco (CVE-2014-0125).

Cross Site Request Forgery in Moodle before 2.4.9 in enrol/imsenterprise/importnow.php, due to inadequate session checking when triggering the import of IMS Enterprise identities (CVE-2014-0126).