Dan Poltawski

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.4.0 through 2.4.11 Moodle versions 2.5.x before 2.5.9 Moodle versions 2.6.x before 2.6.6 Moodle versions 2.7.x before 2.7.3 **Description** The issue allows remote attackers to cause a denial of service by triggering the calculation of an estimated latitude and longitude for an IP address, resulting in resource consumption. **Recommendations** For versions 2.4.0 through 2.4.11, update to version 2.4.12 or later. For versions 2.5.x before 2.5.9, update to version 2.5.9 or later. For versions 2.6.x before 2.6.6, update to version 2.6.6 or later. For versions 2.7.x before 2.7.3, update to version 2.7.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.1.11 Moodle versions 2.2.x prior to 2.2.10 Moodle versions 2.3.x prior to 2.3.7 Moodle versions 2.4.x prior to 2.4.4 **Description** The issue arises from the improper handling of a certain array-element syntax by the MoodleQuickForm class in lib/formslib.php. This allows remote attackers to bypass intended form-data filtering via a crafted request. **Recommendations** For versions prior to 2.1.11, update to version 2.1.11 or later. For versions 2.2.x prior to 2.2.10, update to version 2.2.10 or later. For versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.0 through 2.1.10 Moodle versions 2.2.x before 2.2.10 Moodle versions 2.3.x before 2.3.7 Moodle versions 2.4.x before 2.4.4 **Description** The issue allows remote attackers to obtain sensitive information via a crafted request, due to the lack of capability requirements enforcement for reading blog comments. **Recommendations** For versions 2.1.0 through 2.1.10, update to version 2.1.11 or later. For versions 2.2.x before 2.2.10, update to version 2.2.10 or later. For versions 2.3.x before 2.3.7, update to version 2.3.7 or later. For versions 2.4.x before 2.4.4, update to version 2.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.9 Moodle versions 2.2.x through 2.2.6 Moodle versions 2.3.x through 2.3.3 Moodle versions 2.4.x through 2.4.0 **Description** The issue is related to the moodle1 backup converter in Moodle, which does not properly validate pathnames. This allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature. **Recommendations** For Moodle versions 2.1.x through 2.1.9, update to version 2.1.10 or later. For Moodle versions 2.2.x through 2.2.6, update to version 2.2.7 or later. For Moodle versions 2.3.x through 2.3.3, update to version 2.3.4 or later. For Moodle versions 2.4.x through 2.4.0, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.3.x through 2.3.3 Moodle versions 2.4.x through 2.4.0 **Description** The issue allows remote attackers to read or modify the submission comments of arbitrary users via a crafted URI. This is due to a problem in the lib.php file within the Submission comments plugin in the Assignment module. **Recommendations** For Moodle versions 2.3.x through 2.3.3, update to version 2.3.4 or later. For Moodle versions 2.4.x through 2.4.0, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 6.0 **Description** The issue allows remote attackers to bypass authentication by leveraging an unattended workstation, due to improper handling of the autocomplete attribute of a password input element. **Recommendations** For versions prior to 6.0, update to version 6.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.2.x through 2.2.3 Moodle versions 2.3.x through 2.3.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `lti typename` or `lti toolurl` parameters in the mod/lti/typessettings.php file. **Recommendations** For Moodle versions 2.2.x through 2.2.3, update to version 2.2.4 or later. For Moodle versions 2.3.x through 2.3.0, update to version 2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.5 Moodle versions 2.2.x through 2.2.2 **Description** The issue is related to the mod/data/preset.php file in Moodle, which does not properly iterate through an array. This allows remote authenticated users to overwrite arbitrary database activity presets via unspecified vectors. **Recommendations** For Moodle versions 2.1.x through 2.1.5, update to version 2.1.6 or later. For Moodle versions 2.2.x through 2.2.2, update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.8 Moodle versions 2.1.x through 2.1.5 Moodle versions 2.2.x through 2.2.2 **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via the `idnumber` field to "cohort/edit.php". **Recommendations** For Moodle versions 2.0.x through 2.0.8, update to version 2.0.9 or later. For Moodle versions 2.1.x through 2.1.5, update to version 2.1.6 or later. For Moodle versions 2.2.x through 2.2.2, update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.8 Moodle versions 2.1.x through 2.1.5 Moodle versions 2.2.x through 2.2.2 **Description** A cross-site scripting (XSS) issue exists, allowing remote authenticated users to inject arbitrary web script or HTML via the `name` field to "admin/webservice/service.php". **Recommendations** For Moodle versions 2.0.x through 2.0.8, update to version 2.0.9 or later. For Moodle versions 2.1.x through 2.1.5, update to version 2.1.6 or later. For Moodle versions 2.2.x through 2.2.2, update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.7 through 1.7.6 Moodle versions 1.8 through 1.8.7 Moodle versions 1.9 through 1.9.3 **Description** A cross-site request forgery (CSRF) issue exists in the forum code, allowing remote attackers to delete unauthorized forum posts via a link or IMG tag to "post.php". **Recommendations** For Moodle versions 1.7 through 1.7.6, update to version 1.7.7 or later. For Moodle versions 1.8 through 1.8.7, update to version 1.8.8 or later. For Moodle versions 1.9 through 1.9.3, update to version 1.9.4 or later.