Description
In Moodle before 2.8.9, if guest access is open on the site,
unauthenticated users can store Atto draft data through the editor
autosave area, which could be exploited in a denial of service attack
(CVE-2015-5332).
In Moodle before 2.8.9, due to a CSRF issue in the site registration form,
it is possible to trick a site admin into sending aggregate stats to an
arbitrary domain. The attacker can send the admin a link to a site
registration form that will display the correct URL but, if submitted,
will register with another hub (CVE-2015-5335).
In Moodle before 2.8.9, the standard survey module is vulnerable to XSS
attack by students who fill the survey (CVE-2015-5336).
In Moodle before 2.8.9, there was a reflected XSS vulnerability in the
Flowplayer flash video player (CVE-2015-5337).
In Moodle before 2.8.9, password-protected lesson modules are subject to a
CSRF vulnerability in the lesson login form (CVE-2015-5338).
In Moodle before 2.8.9, through web service core_enrol_get_enrolled_users
it is possible to retrieve list of course participants who would not be
visible when using web site (CVE-2015-5339).
In Moodle before 2.8.9, logged in users who do not have capability 'View
available badges without earning them' can still access the full list of
badges (CVE-2015-5340).
In Moodle before 2.8.9, the SCORM module allows to bypass access
restrictions based on date and lets users view the SCORM contents
(CVE-2015-5341).
In Moodle before 2.8.9, the choice module closing date can be bypassed,
allowing users to delete or submit new responses after the choice module
was closed (CVE-2015-5342).