Hi, these issues got CVE ids:
CVE-2009-4305[0]: | SQL injection vulnerability in the SCORM module in Moodle 1.8 before | 1.8.11 and 1.9 before 1.9.7 allows remote authenticated users to | execute arbitrary SQL commands via vectors related to an "escaping | issue when processing AICC CRS file (Course_Title)." CVE-2009-4304[1]: | Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 does not use a random | password salt in config.php, which makes it easier for attackers to | conduct brute-force password guessing attacks. CVE-2009-4303[2]: | Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 stores (1) password | hashes and (2) unspecified "secrets" in backup files, which might | allow attackers to obtain sensitive information. CVE-2009-4302[3]: | login/index_form.html in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 | links to an index page on the HTTP port even when the page is served | from an HTTPS port, which might cause login credentials to be sent in | cleartext, even when SSL is intended, and allows remote attackers to | obtain these credentials by sniffing. CVE-2009-4301[4]: | mnet/lib.php in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7, when | MNET services are enabled, does not properly check permissions, which | allows remote authenticated servers to execute arbitrary MNET | functions. CVE-2009-4300[5]: | Multiple unspecified authentication plugins in Moodle 1.8 before | 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the | user table, even when the cached hashes are not used by the plugin, | which might make it easier for attackers to obtain credentials via | unspecified vectors. CVE-2009-4299[6]: | mod/glossary/showentry.php in the Glossary module for Moodle 1.8 | before 1.8.11 and 1.9 before 1.9.7 does not properly perform access | control, which allows attackers to read unauthorized Glossary entries | via unknown vectors. CVE-2009-4298[7]: | The LAMS module (mod/lams) for Moodle 1.8 before 1.8.11 and 1.9 before | 1.9.7 stores the (1) username, (2) firstname, and (3) lastname fields | within the user table, which allows attackers to obtain user account | information via unknown vectors. CVE-2009-4297[8]: | Multiple cross-site request forgery (CSRF) vulnerabilities in Moodle | 1.8 before 1.8.11 and 1.9 before 1.9.7 allow remote attackers to | hijack the authentication of unspecified victims via unknown vectors. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4305 http://security-tracker.debian.org/tracker/CVE-2009-4305 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4304 http://security-tracker.debian.org/tracker/CVE-2009-4304 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4303 http://security-tracker.debian.org/tracker/CVE-2009-4303 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4302 http://security-tracker.debian.org/tracker/CVE-2009-4302 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4301 http://security-tracker.debian.org/tracker/CVE-2009-4301 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4300 http://security-tracker.debian.org/tracker/CVE-2009-4300 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4299 http://security-tracker.debian.org/tracker/CVE-2009-4299 [7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4298 http://security-tracker.debian.org/tracker/CVE-2009-4298 [8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4297 http://security-tracker.debian.org/tracker/CVE-2009-4297
signature.asc
Description: OpenPGP digital signature
