Se han publicado nuevas de que solucionan problemas de de esta aula virtual y es por tanto más que recomendable actualizar su sitio Web Moodle.

Si tiene contratado con nosotros las actualizaciones de seguridad durante 1 año (

debe icontactar con nosotros mediante e-mail ( para solicitar esta actualización.

Si no dispone de actualizaciones sin límite de Moodle durante 1 año puede contratar la actualización parcial por 40 € (IVA inc.) en la dirección siguiente:

Recuerde que el paso de una versión inferior a una superior puede necesitar modificaciones en las plantillas. Estas modificaciones deben presupuestarse aparte
(Ejemplo de versiones 1.6.x a 1.8.x y/o 1.9.x).

De la versión 1.9.2 a la 1.9.3 no existen variaciones en el de la plantilla.

Información en inglés:


Topic: customised PhpMyAdmin upgraded to
Severity: MAJOR
Versions affected: all
Reported by: upstream PMASA-2008-8
Issue no.: MDL-16623
Solution: Install latest package from



Topic: quiz/questions capabilities lack some risk flags in
access.php files
Severity: MINOR

Reported by: internal code review
Issue no.: MDL-15819
Solution: to latest releases

We have discovered during code review that some quiz
and questions related capabilities lack proper definition
of associated risks. Administrators should update sites or
at least review the changes in risk definitions in all quiz
and question related capabilities.


Topic: design deficiency combined with incorrect use of
format_string() allowing XSS
Severity: HIGH

Reported by: Lars Vogdt
Issue no.: MDL-15823
Solution: Update to latest releases or patch format_string() function

Lars Vogdt reported a Cross Site Scripting (XSS) problem in
one script, during the evaluation we have realised that several
other places might be affected too. The problem was caused by
combination of incorrect use of format_string() and previous
design of this function. We have decided to prevent this and
any similar problems in future by adding more sanitisation into


Topic: XSS through Wiki page titles
Severity: HIGH

Reported by: Mike Churchward
Issue no.: MDL-15896
Solution: update to latest releases

Wiki page names were not sanitised on output, allowing
for potential cross site scripting (XSS) issues.


Topic: CSRF in messaging setting
Severity: MAJOR

Reported by: internal code review
Issue no.: MDL-16688
Solution: update to latest releases

The messaging settings page was exposed to a CSRF
vulnerability because it wasn't protected by the
sesskey mechanism.


Topic: Overriding of frozen values in Moodle forms
Severity: MINOR

Reported by: Ashley Holman
Issue no.: MDL-16839
Solution: update to latest releases

Anshley Holman reported that it is possible to side
step user profile locking mechanism. The cause of
this is in our quickforms integration, unfortunately
it can not be fixed without potential regressions.
We have decided to work around this problem by
using setConstant() together with hardFreeze().
Please update your code in a similar way if required.
The problem will be better resolved in .


Topic: SQL injection in tags code
Severity: HIGH
Versions affected: 1.9.0, 1.9.1, 1.9.2
Reported by: D P
Issue no.: MDL-16585
Solution: update to latest release

SQL injection problem was reported in tag related code.
Please update your site or disable tags feature.


Topic: customised HTML Purifier upgraded to 2.
Severity: MINOR
Versions affected: 1.9.0, 1.9.1, 1.9.2
Reported by: upstream
Issue no.: MDL-16667
Solution: upgrade to latest release or use standard kses text cleaning engine