Security Announcements

The easiest way to keep track of the recent security issues is to register your Moodle site with moodle.org so that your email address is added to the low-volume mailing list for important notifications such as security alerts. Otherwise, after release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required), or follow moodlesecurity on Twitter.

Documentation: Security


Page: 1 2 3 4 ()
DiscussionStarted byRepliesLast post
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data. Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Nov 2016, 11:51 AM
MSA-16-0025: Capability to view course notes is checked in the wrong context Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Nov 2016, 11:49 AM
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Nov 2016, 11:48 AM
MSA-16-0023: Question engine allows access to files that should not be available Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Nov 2016, 11:46 AM
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 12 Sep 2016, 9:58 AM
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 19 Jul 2016, 4:05 PM
MSA-16-0020: Text injection in email headers Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0019: Glossary search displays entries without checking user permissions to view them Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0018: CSRF in script marking forum posts as read Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0017: Course idnumber not protected from teacher restore Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0016: User can view badges of other users without proper permissions Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0015: Information disclosure of hidden forum names and sub-names. Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0014 Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 17 May 2016, 1:57 PM
MSA-16-0013: Users are able to change profile fields that were locked by the administrator Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 17 May 2016, 1:55 PM
MSA-16-0012: External function mod_assign_save_submission does not check due dates Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:14 PM
MSA-16-0011: Add no referrer to links with _blank target attribute Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:13 PM
MSA-16-0010: Enumeration of category details possible without authentication Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0009: CSRF in Assignment plugin management page Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0006: Hidden courses are shown to students in Event Monitor Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:10 PM
MSA-16-0005: Reflected XSS in mod_data advanced search Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0004: XSS from profile fields from external db Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Mar 2016, 2:08 PM
MSA-16-0002: XSS Vulnerability in course management search Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 Jan 2016, 11:50 AM
MSA-16-0001: Two enrolment-related web services don't check course visibility Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 Jan 2016, 11:49 AM
MSA-15-0046: Choice module closing date can be bypassed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:31 PM
MSA-15-0045: SCORM module allows to bypass access restrictions based on date Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:28 PM
MSA-15-0044: Capability to view available badges is not respected Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:27 PM
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:25 PM
MSA-15-0042: CSRF in lesson login form Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:22 PM
MSA-15-0041: XSS in flash video player Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:21 PM
MSA-15-0040: Student XSS in survey Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:20 PM
MSA-15-0039: CSRF in site registration form Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:18 PM
MSA-15-0038: DDoS possibility in Atto Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:15 PM
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Nov 2015, 12:14 PM
MSA-15-0036: XSS in grouping description Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:46 AM
MSA-15-0035: Rating component does not check separate groups Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:45 AM
MSA-15-0034: Vulnerability in password recovery mechanism Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:44 AM
MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:43 AM
MSA-15-0032: Users can delete files uploaded by other users in wiki Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:42 AM
MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:38 AM
MSA-15-0030: Students can re-attempt answering questions in the lesson Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 21 Sep 2015, 9:36 AM
MSA-15-0029: Javascript injection in SCORM module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 13 Jul 2015, 8:31 AM
MSA-15-0028: Possible XSS through custom text profile fields in Web Services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 13 Jul 2015, 8:29 AM
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 13 Jul 2015, 8:28 AM
MSA-15-0026: Possible phishing when redirecting to external site using referer header Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 13 Jul 2015, 8:27 AM
MSA-15-0025: Capability to manage own files is not respected in Web Services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:05 AM
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:04 AM
MSA-15-0023: Suspended user is able to login when confirming email Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:03 AM
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:02 AM
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:01 AM
MSA-15-0020: User fullname disclosure through account confirmation link Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 9:00 AM
MSA-15-0019: Possible phishing when redirecting to external site using referer header Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 8:59 AM
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 18 May 2015, 8:54 AM
MSA-15-0017: XSS in quiz statistics report Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0016: Web services token can be created for user with temporary password Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:07 AM
MSA-15-0014: Potential information disclosure for the inaccessible courses Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0013: Block title not properly escaped and may cause HTML injection Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0012: ReDoS Possible with Convert links to URLs filter Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:05 AM
MSA-15-0011: Authentication in mdeploy can be bypassed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:04 AM
MSA-15-0010: Personal contacts and number of unread messages can be revealed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 16 Mar 2015, 11:03 AM
MSA-15-0009: Directory Traversal Attack possible through some files serving JS Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, 10 Feb 2015, 10:13 AM
MSA-15-0008: Forced logout through Shibboleth authentication plugin Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 10:02 AM
MSA-15-0007: ReDoS possible in the multimedia filter Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 10:01 AM
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 10:00 AM
MSA-15-0005: Insufficient access check in calendar functions in web-services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 9:59 AM
MSA-15-0004: Information leak through messaging functions in web-services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 9:58 AM
MSA-15-0003: CSRF possible in Glossary module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 9:56 AM
MSA-15-0002: XSS vulnerability in course request pending approval page Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 9:55 AM
MSA-15-0001: Insufficient access check in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 19 Jan 2015, 9:52 AM
MSA-14-0049: Possible to print arbitrary message to user by modifying URL Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:28 PM
MSA-14-0048: CSRF in forum tracking toggle Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:27 PM
MSA-14-0047: Possible data loss in Wiki activity Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:26 PM
MSA-14-0046: CSRF in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:25 PM
MSA-14-0045: XSS file upload possible through web service Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:25 PM
MSA-14-0044: Hardware path disclosed in the error message Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:24 PM
MSA-14-0043: Lack of group check in web service for Forum Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:23 PM
MSA-14-0042: Lack of access check in IP lookup functionality Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:22 PM
MSA-14-0041: Lack of capability check in tags list access Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:21 PM
MSA-14-0040: Information leak in Database activity module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:10 PM
MSA-14-0039: Insufficient access check in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:09 PM
MSA-14-0038: Hidden grade information exposed by web services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:08 PM
MSA-14-0037: Weak temporary password generation Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 12:07 PM
MSA-14-0036: XSS in mapcourse script in Feedback module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 10:37 AM
MSA-14-0035: Headers not added to some AJAX scripts Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, 17 Nov 2014, 10:33 AM
MSA-14-0034: Identity information revealed early in Q&A forum My mug Michael de Raadt 0 Michael de Raadt
Mon, 15 Sep 2014, 8:29 AM
MSA-14-0033: URL parameter injection in CAS authentication My mug Michael de Raadt 0 Michael de Raadt
Mon, 15 Sep 2014, 8:28 AM
MSA-14-0032: Cross-site scripting in advanced grading methods My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 4:00 PM
MSA-14-0031: Cross-site scripting though scheduled task error messages My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 4:00 PM
MSA-14-0030: Cross-site scripting through logs of failed logins My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 3:59 PM
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 3:58 PM
MSA-14-0028: Cross-site scripting possible in external badges My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:56 AM
MSA-14-0027: Forum group posting issue My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:55 AM
MSA-14-0026: Information leak in profile and notes pages My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:52 AM
MSA-14-0025: Remote code execution in Quiz My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:51 AM
MSA-14-0024: Cross-site scripting vulnerability in profile field My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:48 AM
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:45 AM
MSA-14-0022: XML External Entity vulnerability in LTI module My mug Michael de Raadt 0 Michael de Raadt
Mon, 21 Jul 2014, 9:43 AM
Page: 1 2 3 4 ()