MGASA-2014-0483

In Moodle before 2.6.5, without forcing encoding, it was possible that UTF7 characters could be used to force cross-site scripts to AJAX scripts (although this is unlikely on modern browsers and on most Moodle pages) (MSA-14-0035).

In Moodle before 2.6.5, an XSS issue through $searchcourse in mod/feedback/mapcourse.php, due to the last search string in the Feedback module not being escaped in the search input field (CVE-2014-7830).

In Moodle before 2.6.5, the word list for temporary password generation was short, therefore the pool of possible passwords was not big enough (CVE-2014-7845).

In Moodle before 2.6.5, capability checks in the LTI module only checked access to the course and not to the activity (CVE-2014-7832).

In Moodle before 2.6.5, group-level entries in Database activity module became visible to users in other groups after being edited by a teacher (CVE-2014-7833).

In Moodle before 2.6.5, unprivileged users could access the list of available tags in the system (CVE-2014-7846).

In Moodle before 2.6.5, the script used to geo-map IP addresses was available to unauthenticated users increasing server load when used by other parties (CVE-2014-7847).

In Moodle before 2.6.5, when using the web service function for Forum discussions, group permissions were not checked (CVE-2014-7834).

In Moodle before 2.6.5, by directly accessing an internal file, an unauthenticated user can be shown an error message containing the file system path of the Moodle install (CVE-2014-7848).

In Moodle before 2.6.5, if web service with file upload function was available, user could upload XSS file to his profile picture area (CVE-2014-7835).

In Moodle before 2.6.5, two files in the LTI module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7836).

In Moodle before 2.6.5, by tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course (CVE-2014-7837).

In Moodle before 2.6.5, set tracking script in the Forum module lacked a session key check, potentially allowing cross-site request forgery (CVE-2014-7838).

In Moodle before 2.6.5, session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string (MSA-14-0049).