Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to ( account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security

DiscussionStarted byRepliesLast post
MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing 0 Michael Hawkins
MSA-19-0008: Secure layout contained an insecure link in Boost theme 0 Michael Hawkins
MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly 0 Michael Hawkins
MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site 0 Michael Hawkins
MSA-19-0005: Logged in users could view all calendar events 0 Michael Hawkins
MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users' Dashboards 0 Michael Hawkins
MSA-19-0003: User full name is not escaped in the un-linked userpix page 0 Michael Hawkins
MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php 0 Michael Hawkins
MSA-19-0001: Manage groups capability is missing XSS risk flag 0 Michael Hawkins
MSA-18-0020: Login CSRF vulnerability in login form 0 Michael Hawkins
MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered 0 Michael Hawkins
MSA-18-0018: QuickForm library remote code vulnerability (upstream) 0 Michael Hawkins
MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution 0 Michael Hawkins
MSA-18-0016: Quiz question bank import preview could execute JavaScript 0 Michael Hawkins
MSA-18-0015: Web service core_course_get_categories may return invisible categories 0 Michael Hawkins
MSA-18-0014: Privacy data exports include log data 0 Michael Hawkins
MSA-18-0012: Portfolio script allows instantiation of class chosen by user 0 Marina Glancy
MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access 0 Marina Glancy
MSA-18-0010: User can shift a block from Dashboard to any page 0 Marina Glancy
MSA-18-0009: Portfolio forum caller class allows a user to download any file 0 Marina Glancy
MSA-18-0008: Users can download any file via portfolio assignment caller class 0 Marina Glancy
MSA-18-0007: Calculated question type allows remote code execution by Question authors 0 Marina Glancy
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site 0 Marina Glancy
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script 0 Marina Glancy
MSA-18-0004: XSS in calendar event name 0 Marina Glancy
MSA-18-0003: Privilege escalation in quiz web services 0 Marina Glancy
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames 0 Marina Glancy
MSA-18-0001: Server Side Request Forgery in the filepicker 0 Marina Glancy
MSA-17-0021: Students can find out email addresses of other students in the same course 0 Marina Glancy
MSA-17-0020: Admins may not know that exposing vendor directory is a security risk 0 Marina Glancy
MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course 0 Marina Glancy
MSA-17-0018: Course reports are not respecting group settings in courses 0 Marina Glancy
MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback 0 Marina Glancy
MSA-17-0016: Authentication bypass vulnerability with old CAS servers 0 Marina Glancy
MSA-17-0015: Course creators are able to change system default settings for courses 0 Marina Glancy
MSA-17-0014: Course overview block reveals activities in hidden courses 0 Marina Glancy
MSA-17-0006: User fullname disclosure on user preferences page 0 Marina Glancy
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services 0 Marina Glancy
MSA-17-0012: CSRF in number of courses displayed in the course overview block 0 Marina Glancy
MSA-17-0011: Searching of blogs possible without capability to do it 0 Marina Glancy
MSA-17-0010: External blog editing takeover 0 Marina Glancy
MSA-17-0009: XSS in attachments to evidence of prior learning 0 Marina Glancy
MSA-17-0008: XSS in evidence of prior learning 0 Marina Glancy
MSA-17-0007: Global search displays user names for unauthenticated users 0 Marina Glancy
MSA-17-0005: SQL injection via user preferences 0 Marina Glancy
MSA-17-0004: XSS in assignment submission page 0 Marina Glancy
MSA-17-0003: PHPMailer vulnerability in no-reply address 0 Marina Glancy
MSA-17-0002: Incorrect sanitation of attributes in forums 0 Marina Glancy
MSA-17-0001: System file inclusion when adding own preset file in Boost theme 0 Marina Glancy
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data. 0 Marina Glancy
MSA-16-0025: Capability to view course notes is checked in the wrong context 0 Marina Glancy
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services 0 Marina Glancy
MSA-16-0023: Question engine allows access to files that should not be available 0 Marina Glancy
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed 0 Marina Glancy
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course 0 Marina Glancy
MSA-16-0020: Text injection in email headers 0 Marina Glancy
MSA-16-0019: Glossary search displays entries without checking user permissions to view them 0 Marina Glancy
MSA-16-0018: CSRF in script marking forum posts as read 0 Marina Glancy
MSA-16-0017: Course idnumber not protected from teacher restore 0 Marina Glancy
MSA-16-0016: User can view badges of other users without proper permissions 0 Marina Glancy
MSA-16-0015: Information disclosure of hidden forum names and sub-names. 0 Marina Glancy
MSA-16-0014 0 Marina Glancy
MSA-16-0013: Users are able to change profile fields that were locked by the administrator 0 Marina Glancy
MSA-16-0012: External function mod_assign_save_submission does not check due dates 0 Marina Glancy
MSA-16-0011: Add no referrer to links with _blank target attribute 0 Marina Glancy
MSA-16-0010: Enumeration of category details possible without authentication 0 Marina Glancy
MSA-16-0009: CSRF in Assignment plugin management page 0 Marina Glancy
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities 0 Marina Glancy
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View 0 Marina Glancy
MSA-16-0006: Hidden courses are shown to students in Event Monitor 0 Marina Glancy
MSA-16-0005: Reflected XSS in mod_data advanced search 0 Marina Glancy
MSA-16-0004: XSS from profile fields from external db 0 Marina Glancy
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list 0 Marina Glancy
MSA-16-0002: XSS Vulnerability in course management search 0 Marina Glancy
MSA-16-0001: Two enrolment-related web services don't check course visibility 0 Marina Glancy
MSA-15-0046: Choice module closing date can be bypassed 0 Marina Glancy
MSA-15-0045: SCORM module allows to bypass access restrictions based on date 0 Marina Glancy
MSA-15-0044: Capability to view available badges is not respected 0 Marina Glancy
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode 0 Marina Glancy
MSA-15-0042: CSRF in lesson login form 0 Marina Glancy
MSA-15-0041: XSS in flash video player 0 Marina Glancy
MSA-15-0040: Student XSS in survey 0 Marina Glancy
MSA-15-0039: CSRF in site registration form 0 Marina Glancy
MSA-15-0038: DDoS possibility in Atto 0 Marina Glancy
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts 0 Marina Glancy
MSA-15-0036: XSS in grouping description 0 Marina Glancy
MSA-15-0035: Rating component does not check separate groups 0 Marina Glancy
MSA-15-0034: Vulnerability in password recovery mechanism 0 Marina Glancy
MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time 0 Marina Glancy
MSA-15-0032: Users can delete files uploaded by other users in wiki 0 Marina Glancy
MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of 0 Marina Glancy
MSA-15-0030: Students can re-attempt answering questions in the lesson 0 Marina Glancy
MSA-15-0029: Javascript injection in SCORM module 0 Marina Glancy
MSA-15-0028: Possible XSS through custom text profile fields in Web Services 0 Marina Glancy
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum 0 Marina Glancy
MSA-15-0026: Possible phishing when redirecting to external site using referer header 0 Marina Glancy
MSA-15-0025: Capability to manage own files is not respected in Web Services 0 Marina Glancy
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree 0 Marina Glancy
MSA-15-0023: Suspended user is able to login when confirming email 0 Marina Glancy
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services 0 Marina Glancy