David Mudrak

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.1.x through 2.1.9 Moodle versions 2.2.x through 2.2.6 Moodle versions 2.3.x through 2.3.3 Moodle versions 2.4.x through 2.4.0 **Description** The issue allows remote attackers to obtain sensitive information by reading the blog RSS feed, even after blogging is disabled. This is due to the `blog/rsslib.php` file in the affected Moodle versions continuing to provide the feed. **Recommendations** For versions 2.1.x through 2.1.9, update to version 2.1.10 or later. For versions 2.2.x through 2.2.6, update to version 2.2.7 or later. For versions 2.3.x through 2.3.3, update to version 2.3.4 or later. For versions 2.4.x through 2.4.0, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.9.x through 1.9.13 Moodle versions 2.0.x through 2.0.4 Moodle versions 2.1.x through 2.1.1 **Description** The issue arises from improper processing of the return value of the `openssl verify` function in `mnet/xmlrpc/client.php`. This allows remote attackers to bypass validation by using a crafted certificate. **Recommendations** For Moodle versions 1.9.x through 1.9.13, update to version 1.9.14 or later. For Moodle versions 2.0.x through 2.0.4, update to version 2.0.5 or later. For Moodle versions 2.1.x through 2.1.1, update to version 2.1.2 or later.