Moodle Multiple Vulnerabilities Fixed by 2.9, 2.8.6, 2.7.8 and 2.6.11
Description
(#Several vulnerabilities have been identified in Moodle:#- CVE-2015-3174: cross-site scripting located in 'mod/quiz:grade'##- CVE-2015-3175: open redirect##- CVE-2015-3176: information disclosure allowing an attacker to retrieve full name of registered users knowing their username##- CVE-2015-3177: information disclosure. This vulnerability is exploitable if site-wide rules exists in the event monitor tool##- CVE-2015-3178: cross-site scripting located in several text fields entered by student from Web Services##- CVE-2015-3179: bypass security. An attacker, with a suspended account, but actually confirmed, is able to login (only once). This vulnerability occurs when self-registration is enabled##- CVE-2015-3180: information disclosure in the navigation tree from a user with a suspended enrollment##- CVE-2015-3181: arbitrary file upload by using deprecated functions in Web Services. In order to exploit this vulnerability, the attacker must have the revoked capability 'moodle/user:manageownfiles'.##The moodle packages provided by Debian Squeeze 6 are vulnerable and no fixed packages will be released (EOL for Squeeze LTS).)
