Dan Marsden

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.10 and earlier, 2.2.x before 2.2.11, 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.1 **Description** The issue concerns the improper implementation of RSS tokens for impersonation in the rss/file.php script. This allows remote authenticated users to obtain sensitive block information by reading an RSS feed. **Recommendations** For versions 2.1.10 and earlier, update to a version later than 2.1.10. For versions 2.2.x before 2.2.11, update to version 2.2.11 or later. For versions 2.3.x before 2.3.8, update to version 2.3.8 or later. For versions 2.4.x before 2.4.5, update to version 2.4.5 or later. For versions 2.5.x before 2.5.1, update to version 2.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.9 Moodle versions 2.1.x through 2.1.6 Moodle versions 2.2.x through 2.2.3 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via crafted form data. This is a result of a SQL injection vulnerability in the mod/feedback/complete.php file. **Recommendations** For Moodle versions 2.0.x through 2.0.9, update to version 2.0.10 or later. For Moodle versions 2.1.x through 2.1.6, update to version 2.1.7 or later. For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later.