Security Announcements

 

Moodle Security Procedures

We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.

We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.

We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.


How can I report a security issue?

Please "Create a new issue" in the Moodle Tracker. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team is able to resolve it and publish fixes to registered Moodle sites (see below).

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 2.3.1 to 2.3.2+, for example, at any time. Git is a very easy way to do this.

How can I keep track of recent security issues?

  1. Register your Moodle site with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.
  2. Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.) You can also follow moodlesecurity on Twitter.

See also


DiscussionStarted byRepliesLast post
MSA-14-0013: Unfiltered data used in Assignment web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:52 AM
MSA-14-0008: Cross site scripting potential in Flowplayer My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0004: Incorrect filtering in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0012: Access issue in Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:52 AM
MSA-14-0011: Cross site request forgery potential in IMS enrolments My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:51 AM
MSA-14-0010: Identity information leak in Alfresco Repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:48 AM
MSA-14-0009: Identity information leak in Forum and Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:47 AM
MSA-14-0007: Access issue in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:43 AM
MSA-14-0006: Capability issue in Chat My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:40 AM
MSA-14-0005: Access issue in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:39 AM
MSA-14-0003: Cross-site request forgery vulnerability in profile fields My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:36 AM
MSA-14-0002: Group constraints lacking in "login as" My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:49 AM
MSA-14-0001: Config passwords visibility issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:48 AM
MSA-13-0040: Cross site scripting vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:44 AM
MSA-13-0039: Cross site scripting in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:35 AM
MSA-13-0038: Access to server files through repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:33 AM
MSA-13-0037: Cross site scripting in Messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:31 AM
MSA-13-0036: Incorrect headers sent for secured resources My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:29 AM
MSA-13-0035: Inadequate filtering in Blog My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0034: Object injection through Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:38 AM
MSA-13-0032: Host verification failure in Amazon S3 repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:36 AM
MSA-13-0031: Personal information leak in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:29 AM
MSA-13-0030: Information leak through RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:26 AM
MSA-13-0029: XSS risk in conditional activities My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:24 AM
MSA-13-0028: Answer information revealed in Lesson activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:22 AM
MSA-13-0027: Access issue in Chat module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0026: Personal information leak in IMS-LTI My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0025: XSS vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:08 AM
MSA-13-0024: Form filtering issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:13 AM
MSA-13-0023: Permission issue in blog comments My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:11 AM
MSA-13-0022: Information leak in hub registration My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:09 AM
MSA-13-0021: Potential information leak in Gradebook My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:06 AM
MSA-13-0020: Capability issue in Assignment My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:01 AM
MSA-13-0019: Unauthorised settings editing through WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0018: Personal information leak through repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0017: Form manipulation issue in notes My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0016: External Entity Injection through Zend library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0015: Cross-site scripting issue in Filepicker My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0014: Password revealed in WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0013: Server information revealed through exception messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0012: Information leak in course profiles My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0011: Calendar subscription capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:45 PM
MSA-13-0010: Failure to check capabilities in calendar My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:05 AM
MSA-13-0009: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:04 AM
MSA-13-0008: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:03 AM
MSA-13-0007: Potential exploit in messaging My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:59 AM
MSA-13-0006: Potential information leak in Assignment module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:57 AM
MSA-13-0005: Potential phishing attack through URL redirects My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:56 AM
MSA-13-0004: Information leak through activity report My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:54 AM
MSA-13-0003: Potential server file access through backup restoration My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:53 AM
MSA-13-0002: Capability issue with Outcome editing My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:50 AM
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:46 AM
MSA-12-0063: Information leak in Check Permissions page My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:29 AM
MSA-12-0062: Information leak in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:27 AM
MSA-12-0061: Remote code execution through Portfolio API My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:24 AM
MSA-12-0060: Cross-site scripting vulnerability in YUI2 My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:22 AM
MSA-12-0059: Information leak in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:20 AM
MSA-12-0058: Possible form data manipulation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:19 AM
MSA-12-0057: Access issue through repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:17 AM
MSA-12-0056: Information leak in drag-and-drop My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:58 AM
MSA-12-0055: Web service access token issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:57 AM
MSA-12-0054: Course reset permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:56 AM
MSA-12-0053: Blog file access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:54 AM
MSA-12-0052: Course topics permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:53 AM
MSA-12-0051: File upload size constraint issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:51 AM
MSA-12-0050: Potential DOS attack through database activity My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0049: Group restricted activity displayed to all users My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0048: Possible XSS in cohort administration My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0047: SQL injection potential in Feedback module My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0046: Insecure protocol redirection in LDAP authentication My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:43 AM
MSA-12-0045: Injection potential in admin for repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:22 AM
MSA-12-0044: Capability check issue in forum subscriptions My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:20 AM
MSA-12-0043: Early information access issue in forum My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:18 AM
MSA-12-0042: File access issue in blocks My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:18 AM
MSA-12-0041: XSS issue in LTI module My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:14 AM
MSA-12-0040: Capabilities issue through caching My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:13 AM
MSA-12-0039: File upload validation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:11 AM
MSA-12-0038: Calendar event write permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:55 PM
MSA-12-0037: Write access issue in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:54 PM
MSA-12-0036: Cross-site scripting vulnerability in category identifier My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:52 PM
MSA-12-0035: Cross-site scripting vulnerability in "download all" My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:50 PM
MSA-12-0034: Potential SQL injection issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:48 PM
MSA-12-0033: Cross-site scripting vulnerability in Blog My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:47 PM
MSA-12-0032: Cross-site scripting vulnerability in Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:45 PM
MSA-12-0031: Cross-site scripting vulnerability in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:43 PM
MSA-12-0030: Capability manipulation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:38 PM
MSA-12-0029: Information editing access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:36 PM
MSA-12-0028: Insecure authentication issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:34 PM
MSA-12-0027: Question bank capability issues My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:32 PM
MSA-12-0026: Quiz capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:30 PM
MSA-12-0025: Personal communication access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:20 PM
MSA-12-0024: Hidden information access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:19 PM
MSA-12-0023: External enrolment plugin context check issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:57 PM
MSA-12-0022: Security conflict in Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:56 PM
MSA-12-0021: Course information leak through tags My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:54 PM
MSA-12-0020: Forum subscription permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:53 PM
MSA-12-0019: Overview report and hidden course issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:51 PM
MSA-12-0018: Course information leak in Gradebook export My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:49 PM
MSA-12-0017: Personal information leak issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:47 PM
MSA-12-0016: Default repository capabilities issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:45 PM
MSA-12-0015: Backup and private files issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:42 PM
MSA-12-0014: Password and Web services issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:41 PM
MSA-12-0013: Database activity export permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:33 PM
MSA-12-0012: Form validation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:21 AM
MSA-12-0011: Browser autofill password issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:19 AM
MSA-12-0010: Unauthorised access to session key My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:18 AM
MSA-12-0009: Role access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:14 AM
MSA-12-0008: Unsynchronised access via tokens My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:12 AM
MSA-12-0007: Email injection prevention My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:11 AM
MSA-12-0006: Additional email address validation My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:09 AM
MSA-12-0005: Encryption enhancement My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:07 AM
MSA-12-0004: Added profile image security My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:05 AM
MSA-12-0003: Added password protection My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:04 AM
MSA-12-0002: Personal information leak My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 10:01 AM
MSA-12-0001: Recaptcha transmission consistency issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jan 17, 2012, 9:45 AM
MSA-11-0054: Personal information leak My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 4:24 PM
MSA-11-0053: Security and system administration conflict My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 4:23 PM
MSA-11-0052: Potential to exploit developer debugging scripts My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 4:06 PM
MSA-11-0051: Authentication issue with Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 4:04 PM
MSA-11-0050: Backup capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 4:01 PM
MSA-11-0049: Network restriction ineffective with MNet My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:59 PM
MSA-11-0048: Password loss issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:59 PM
MSA-11-0047: Possible injection attack in Calendar My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:59 PM
MSA-11-0046: Insecure authentication transmission My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:58 PM
MSA-11-0045: Potential to masquerade through MNet My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:58 PM
MSA-11-0044: Expired identification information shown in Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:57 PM
MSA-11-0043: Possible link redirect in Calendar My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:57 PM
MSA-11-0042: Information leak in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Dec 6, 2011, 3:57 PM
MSA-11-0040: Potential personal information leak My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Oct 31, 2011, 3:29 PM
MSA-11-0038: Database injection protection strengthened My ugly mug Michael de Raadt 0 Michael de Raadt
Thu, Oct 27, 2011, 11:38 PM
MSA-11-0041: Global search authentication issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:24 PM
MSA-11-0039: Wiki section vulnerability My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:21 PM
MSA-11-0037: Course section editing injection vulnerability My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:17 PM
MSA-11-0036: Messaging refresh vulnerability My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:15 PM
MSA-11-0035: Cookie-less session vulnerability My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:13 PM
MSA-11-0034: Chat module information leak My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:11 PM
MSA-11-0033: Site-hub registration identity issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:09 PM
MSA-11-0032: MNET SSL validation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:07 PM
MSA-11-0031: Forms API constant issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:06 PM
MSA-11-0030: Box.net repository integration authentication issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 12:03 PM
MSA-11-0029: File visibility issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 11:59 AM
MSA-11-0028: Wiki comments cross site scripting issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 11:56 AM
MSA-11-0027: Wiki pages reference forgery issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 11:55 AM
MSA-11-0026: Fields in user upload CSV not being escaped My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Oct 18, 2011, 11:52 AM
MSA-11-0025: Group names in user upload CSV not being escaped My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 5:02 PM
MSA-11-0024: Recaptcha images were being authenticated from an older server My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 5:02 PM
MSA-11-0023: Guests can add comments to front page activities My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 5:01 PM
MSA-11-0022: Course creators could change filters at course level My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 5:00 PM
MSA-11-0021: Role assignment web service function not following restrictions My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 4:59 PM
MSA-11-0020: Continue links in error messages can lead offsite My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 4:59 PM
MSA-11-0019: Themes writing to files outside Moodle data directory My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 4:59 PM
MSA-11-0018: Lacking capability controls over cohorts My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Aug 8, 2011, 4:58 PM
MSA-11-0017: Ability to generate invalid records in the comments table in the database Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 4:09 PM
MSA-11-0016: Ability to fill a database with invalid records through ratings Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 4:05 PM
MSA-11-0015: Cross Site Scripting through URL encoding Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 4:01 PM
MSA-11-0014: Personal details displayed without permission Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 3:57 PM
MSA-11-0013: Group/Quiz permissions issue Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 3:52 PM
MSA-11-0012: Authentication issue Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, May 18, 2011, 3:44 PM
MSA-11-0011: Multiple cross-site scripting problems in media filter Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 11:12 PM
MSA-11-0010: Incorrect default for mod:course/delete capability in teacher role Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 11:10 PM
MSA-11-0009: My profile block may disclose private information if used in user context Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:57 PM
MSA-11-0008: IMS enterprise enrolment file may disclose sensitive information Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:54 PM
MSA-11-0007: Cross-site scripting vulnerability in course tags Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:51 PM
MSA-11-0006: Cross-site request forgery and missing access control in course completion Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:35 PM
MSA-11-0005: Cross-site scripting vulnerability in spikephpcoverage Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:31 PM
MSA-11-0004: $CFG->forceloginforprofiles setting ignored in course profiles Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:31 PM
MSA-11-0003: Cross-site scripting vulnerability in tag autocomplete Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:31 PM
MSA-11-0002: Cross-site request forgery vulnerability in RSS block Picture of Helen Foster Helen Foster 0 Helen Foster
Tue, Mar 1, 2011, 10:29 PM
MSA-11-0001: Customised phpMyAdmin upgraded to 2.11.11.3 and 3.3.9.2 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Feb 21, 2011, 5:01 PM
MSA-10-0018: Customised phpMyAdmin upgraded to 2.11.11.1 and 3.3.8.1 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Sat, Dec 18, 2010, 5:01 AM
MSA-10-0017: XSS vulnerability in YUI 2.4.0 through YUI 2.8.1 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Oct 26, 2010, 4:30 AM
MSA-10-0016: Multiple phpCAS library vulnerabilities Picture of Helen Foster Helen Foster 0 Helen Foster
Mon, Oct 25, 2010, 7:27 PM
MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0 Picture of Helen Foster Helen Foster 0 Helen Foster
Mon, Oct 25, 2010, 7:25 PM
MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Sun, Oct 24, 2010, 7:19 PM
MSA-10-0013: Potential Cross Site Request Forgery vulnerability in Quiz reports Picture of Helen Foster Helen Foster 0 Helen Foster
Thu, Jun 17, 2010, 11:39 PM
MSA-10-0012: KSES Security Filter Bypassing vulnerability Picture of Helen Foster Helen Foster 0 Helen Foster
Thu, Jun 17, 2010, 11:36 PM
MSA-10-0011: Cross Site Scripting vulnerability in blog/index.php Picture of Helen Foster Helen Foster 0 Helen Foster
Thu, Jun 17, 2010, 11:34 PM
MSA-10-0010: Persistent Cross Site Scripting vulnerability in the MNET access control interface Picture of Helen Foster Helen Foster 0 Helen Foster
Thu, Jun 17, 2010, 11:28 PM
MSA-10-0009: Session fixation prevention now turned on by default Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 9:29 PM
MSA-10-0008: Persistent XSS when using Login-as feature Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:51 PM
MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:47 PM
MSA-10-0006: SQL injection in Wiki module Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:45 PM
MSA-10-0005: Incorrect validation of forms data Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:42 PM
MSA-10-0004: Improved access control in course restore Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:41 PM
MSA-10-0003: Disclosure of full user names Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:41 PM
MSA-10-0002: XSS vulnerabilty in the phpcas module Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:33 PM
MSA-10-0001: Vulnerability in KSES text cleaning Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Mar 31, 2010, 8:31 PM
MSA-09-0030: New detection of insecure flash player plugins Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 5:36 AM
MSA-09-0031: SQL injection in SCORM module Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 5:01 AM
MSA-09-0029: Multiple password related issues Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:44 AM
MSA-09-0028: Multiple backup/restore related issues Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:39 AM
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:32 AM
MSA-09-0026: Invalid application access control in MNET interface Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:28 AM
MSA-09-0025: Unneeded MD5 hashes removed from user table Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:22 AM
MSA-09-0024: Insufficient access control in glossary Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:18 AM
MSA-09-0023: User account disclosure in LAMS module Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:15 AM
MSA-09-0022: Multiple CSRF problems fixed Picture of Helen Foster Helen Foster 0 Helen Foster
Wed, Dec 2, 2009, 3:11 AM
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 4:09 AM
MSA-09-0020: Teachers can view students' grades in all courses in the overview report Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 3:52 AM
MSA-09-0019: SQL injection in update_record Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 3:50 AM
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 3:46 AM
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 3:43 AM
MSA-09-0016: Email not properly escaped on user edit page Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Nov 3, 2009, 3:41 AM
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Thu, Oct 15, 2009, 2:12 AM
MSA-09-0014: mimeTeX vulnerabilities Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Jul 21, 2009, 5:00 PM
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, May 20, 2009, 10:28 PM
MSA-09-0012: SQL injections when importing outcomes Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, May 20, 2009, 7:01 PM
MSA-09-0011: Glossary, database and forum ratings are not verified after submission Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, May 20, 2009, 7:01 PM
MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, May 20, 2009, 6:58 PM
MSA-09-0009: TeX filter file disclosure Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Apr 13, 2009, 10:46 PM
Prevent profile spam on your Moodle site Martin in black and white Martin Dougiamas 0 Martin Dougiamas
Tue, Feb 10, 2009, 1:32 PM
MSA-09-0008: CSRF vulnerability in forum code Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:14 PM
MSA-09-0007: Missing input validation in logs allows potential XSS attacks Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:12 PM
MSA-09-0006: Calendar export may allow brute force attacks Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:08 PM
MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:08 PM
MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:08 PM
MSA-09-0003: Vulnerability in Snoopy 1.2.3 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 6:07 PM
MSA-09-0002: User pix disclosure Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 5:52 PM
MSA-09-0001: No way easy to remove pictures of deleted users Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Feb 4, 2009, 5:49 PM
MSA-08-0002: register_globals=on not supported Picture of Petr Škoda Petr Škoda 1 Petr Škoda
Tue, Dec 30, 2008, 6:55 AM
MSA-08-0028: customised PhpMyAdmin package upgraded to 2.11.9.4 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Dec 10, 2008, 9:00 AM
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Nov 3, 2008, 7:30 AM
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:53 AM
MSA-08-0025: SQL injection in tags code Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:52 AM
MSA-08-0024: Overriding of frozen values in Moodle forms Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:50 AM
MSA-08-0023: CSRF in messaging setting Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:48 AM
MSA-08-0022: XSS through Wiki page titles Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:46 AM
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:43 AM
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:40 AM
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Oct 20, 2008, 4:37 AM
MSA-08-0008: KSES related issues Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Sep 23, 2008, 3:22 AM
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Tue, Jul 29, 2008, 8:19 PM
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 23, 2008, 12:04 AM
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 3:26 PM
MSA-08-0016: Email could be changed in profile without confirmation Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:52 PM
MSA-08-0015: accessible profiles of deleted users Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:51 PM
MSA-08-0014: potential sql injection in events handling code Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:49 PM
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only) Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:48 PM
MSA-08-0011: Potential webroot disclosures warning Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:47 PM
MSA-08-0010: sql injection in HotPot module Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:46 PM
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Wed, Jul 16, 2008, 2:45 PM
MSA-08-0007: imported phpMyAdmin 2.11.5.1 Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Mon, Mar 31, 2008, 3:17 PM
MSA-08-0006: Moodle cookie path can not be restricted Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Sat, Jan 19, 2008, 1:58 AM
MSA-08-0005: Bypassing restriction on multiple file uploads Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Sat, Jan 19, 2008, 1:33 AM
MSA-08-0001: Access elevation in user edit form Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Thu, Jan 17, 2008, 9:49 PM
MSA-08-0003: Insufficient access control in Login as feature Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Thu, Jan 17, 2008, 9:49 PM
MSA-08-0004: XSS in install.php before installation Picture of Petr Škoda Petr Škoda 0 Petr Škoda
Thu, Jan 17, 2008, 9:49 PM