| Topic: | Moodle form element types are not applied to some 'repeated' elements |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+ (earlier versions unaffected) |
| Reported by: | Ruslan Kabalin |
| Issue no.: | MDL-30560 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=51070abc78b9e1db1db9a44855e8623b22bebd48 |
Description:
Some repeated form elements were not being validated properly.
| Topic: | iPad Autofill Functionality reveals users password on Moodle create groups page |
| Severity: | Serious |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected) |
| Reported by: | Mike Wilson |
| Issue no.: | MDL-29917 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29917 |
Description:
Safari was revealing the user's saved password in a non-password field.
| Topic: | Anonymous frontpage forums call generates sesskey value |
| Severity: | Minor |
| Versions affected: | 2.1 to 2.1.3+, 2.0 to 2.0.6+ (2.2, 1.9 not affected) |
| Reported by: | Stephen Overall |
| Workaround: | Do not use an anonymous forum on the front page |
| Issue no.: | MDL-27334 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-27334 |
Description:
It was possible to access a page that would generate sesskey values for an unauthenticated user.
| Topic: | Teacher can assign role in self-enrolment for his course as manager even if assign role is disabled |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+ (earlier versions unaffected) |
| Reported by: | Ibrahim Awad |
| Workaround: | Disable self-enrolment |
| Issue no.: | MDL-29469 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-29469 |
Description:
Under specific circumstances, teachers were able to self-enrol themselves at a higher level.
| Topic: | WS tokens & user->deleted status are out of sync |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+ (1.9 not affected) |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-28126 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28126 |
Description:
A user deleted on the server was able to access a site while they continued to use a token.
| Topic: | Header injection in PHPMailer library |
| Severity: | Serious |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Simon Coggins |
| Issue no.: | MDL-30575 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=62988bf0bbc73df655f51884aaf1f523928abff9 |
Description:
It was possible to inject additional information into email headers, such as additional addresses.
| Topic: | No validation performed on email address setting |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | John Ehringer |
| Issue no.: | MDL-13572 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-13572 |
Description:
Additional validation is now performed at various stages. As well as ensuring emails are sent to valid addresses, this also prevents potential attacks.
| Topic: | rc4encrypt function uses hardcoded key |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Rajesh Taneja |
| Workaround | Manually change encryption key |
| Issue no.: | MDL-28948 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-28948 |
Description:
Encryption and decryption of cookies and other values now use a key generated at install, rather than a fixed key.
| Topic: | New setting: CFG->forceloginforprofileimages |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Eloy Lafuente |
| Issue no.: | MDL-29844 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git;a=commit;h=90911c4ff98dc2078a3acef5ddf5a1a8f7e20ba5 |
Description:
This config variable allows sites to prevent unauthenticated access to users' profile images.
| Topic: | Auto completion not disabled for password field in login form |
| Severity: | Minor |
| Versions affected: | 2.2, 2.1 to 2.1.3+, 2.0 to 2.0.6+, 1.9 to 1.9.15+ |
| Reported by: | Andrea Bicciolo |
| Issue no.: | MDL-30336 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-30336 |
Description:
An administration setting has been added that attempts to block browsers remembering users' passwords.
It's good practice to always use the latest stable release of the version you are using. For example, if you are using 1.9.10, it is very safe and easy to go to any higher 1.9.x, because the stable branches generally don't contain any new features (just fixes). CVS is a very easy way to do this.
For more information and alternative ideas, see the Security Documentation.
Did you know if you register your Moodle site with moodle.org you can receive early email alerts of security issues? To register, just visit Admin > Notifications in your own Moodle site.
Please "Create a new issue" in the Moodle Tracker describing the problem (and solution if possible) in detail. Make sure you set the Security Level accurately to make sure that the security team sees it. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team is able to resolve it and publish fixes to registered Moodle sites.
If you have Moodle 1.9.4 and later, you'll find a new Security Report under Admin -> Reports -> Security
Give it a try! It'll check for kinds of potential security problems that you might have in your configuration.
Courses
Categories