Security announcements

MSA-18-0012: Portfolio script allows instantiation of class chosen by user

 
Picture of Marina Glancy
MSA-18-0012: Portfolio script allows instantiation of class chosen by user
 

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Brendan Cox
Workaround: Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier: CVE-2018-1137
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62233
Tracker issue: MDL-62233 Portfolio script allows instantiation of class chosen by user