Security Announcements

The easiest way to keep track of the recent security issues is to register your Moodle site with moodle.org so that your email address is added to the low-volume mailing list for important notifications such as security alerts. Otherwise, after release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required), or follow moodlesecurity on Twitter.

Documentation: Security


Page:  1  2  3  4  ()
DiscussionStarted byRepliesLast post
MSA-15-0017: XSS in quiz statistics report Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:08 AM
MSA-15-0016: Web services token can be created for user with temporary password Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:08 AM
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:07 AM
MSA-15-0014: Potential information disclosure for the inaccessible courses Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:06 AM
MSA-15-0013: Block title not properly escaped and may cause HTML injection Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:06 AM
MSA-15-0012: ReDoS Possible with Convert links to URLs filter Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:05 AM
MSA-15-0011: Authentication in mdeploy can be bypassed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:04 AM
MSA-15-0010: Personal contacts and number of unread messages can be revealed Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Mar 16, 2015, 11:03 AM
MSA-15-0009: Directory Traversal Attack possible through some files serving JS Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Tue, Feb 10, 2015, 10:13 AM
MSA-15-0008: Forced logout through Shibboleth authentication plugin Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 10:02 AM
MSA-15-0007: ReDoS possible in the multimedia filter Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 10:01 AM
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 10:00 AM
MSA-15-0005: Insufficient access check in calendar functions in web-services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 9:59 AM
MSA-15-0004: Information leak through messaging functions in web-services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 9:58 AM
MSA-15-0003: CSRF possible in Glossary module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 9:56 AM
MSA-15-0002: XSS vulnerability in course request pending approval page Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 9:55 AM
MSA-15-0001: Insufficient access check in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Jan 19, 2015, 9:52 AM
MSA-14-0049: Possible to print arbitrary message to user by modifying URL Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:28 PM
MSA-14-0048: CSRF in forum tracking toggle Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:27 PM
MSA-14-0047: Possible data loss in Wiki activity Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:26 PM
MSA-14-0046: CSRF in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:25 PM
MSA-14-0045: XSS file upload possible through web service Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:25 PM
MSA-14-0044: Hardware path disclosed in the error message Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:24 PM
MSA-14-0043: Lack of group check in web service for Forum Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:23 PM
MSA-14-0042: Lack of access check in IP lookup functionality Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:22 PM
MSA-14-0041: Lack of capability check in tags list access Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:21 PM
MSA-14-0040: Information leak in Database activity module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:10 PM
MSA-14-0039: Insufficient access check in LTI module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:09 PM
MSA-14-0038: Hidden grade information exposed by web services Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:08 PM
MSA-14-0037: Weak temporary password generation Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 12:07 PM
MSA-14-0036: XSS in mapcourse script in Feedback module Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 10:37 AM
MSA-14-0035: Headers not added to some AJAX scripts Picture of Marina Glancy Marina Glancy 0 Marina Glancy
Mon, Nov 17, 2014, 10:33 AM
MSA-14-0034: Identity information revealed early in Q&A forum My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 15, 2014, 8:29 AM
MSA-14-0033: URL parameter injection in CAS authentication My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 15, 2014, 8:28 AM
MSA-14-0032: Cross-site scripting in advanced grading methods My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 4:00 PM
MSA-14-0031: Cross-site scripting though scheduled task error messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 4:00 PM
MSA-14-0030: Cross-site scripting through logs of failed logins My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 3:59 PM
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 3:58 PM
MSA-14-0028: Cross-site scripting possible in external badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:56 AM
MSA-14-0027: Forum group posting issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:55 AM
MSA-14-0026: Information leak in profile and notes pages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:52 AM
MSA-14-0025: Remote code execution in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:51 AM
MSA-14-0024: Cross-site scripting vulnerability in profile field My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:48 AM
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:45 AM
MSA-14-0022: XML External Entity vulnerability in LTI module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:43 AM
MSA-14-0021: Code injection in Repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:42 AM
MSA-14-0020: Identity confusion in Shibboleth authentication My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 21, 2014, 9:40 AM
MSA-14-0019: Reflected XSS in URL downloader repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:31 AM
MSA-14-0018: Information leak in courses My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:29 AM
MSA-14-0017: File access issue in HTML block My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:27 AM
MSA-14-0016: Anonymous student identity revealed in assignment My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:26 AM
MSA-14-0015: Web service token expiry issue for MoodleMobile My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:24 AM
MSA-14-0014: Cross-site request forgery possible in Assignment My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 19, 2014, 9:22 AM
MSA-14-0013: Unfiltered data used in Assignment web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:52 AM
MSA-14-0008: Cross site scripting potential in Flowplayer My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0004: Incorrect filtering in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0012: Access issue in Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:52 AM
MSA-14-0011: Cross site request forgery potential in IMS enrolments My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:51 AM
MSA-14-0010: Identity information leak in Alfresco Repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:48 AM
MSA-14-0009: Identity information leak in Forum and Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:47 AM
MSA-14-0007: Access issue in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:43 AM
MSA-14-0006: Capability issue in Chat My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:40 AM
MSA-14-0005: Access issue in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:39 AM
MSA-14-0003: Cross-site request forgery vulnerability in profile fields My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:36 AM
MSA-14-0002: Group constraints lacking in "login as" My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:49 AM
MSA-14-0001: Config passwords visibility issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:48 AM
MSA-13-0040: Cross site scripting vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:44 AM
MSA-13-0039: Cross site scripting in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:35 AM
MSA-13-0038: Access to server files through repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:33 AM
MSA-13-0037: Cross site scripting in Messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:31 AM
MSA-13-0036: Incorrect headers sent for secured resources My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:29 AM
MSA-13-0035: Inadequate filtering in Blog My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0034: Object injection through Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:38 AM
MSA-13-0032: Host verification failure in Amazon S3 repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:36 AM
MSA-13-0031: Personal information leak in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:29 AM
MSA-13-0030: Information leak through RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:26 AM
MSA-13-0029: XSS risk in conditional activities My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:24 AM
MSA-13-0028: Answer information revealed in Lesson activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:22 AM
MSA-13-0027: Access issue in Chat module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0026: Personal information leak in IMS-LTI My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0025: XSS vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:08 AM
MSA-13-0024: Form filtering issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:13 AM
MSA-13-0023: Permission issue in blog comments My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:11 AM
MSA-13-0022: Information leak in hub registration My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:09 AM
MSA-13-0021: Potential information leak in Gradebook My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:06 AM
MSA-13-0020: Capability issue in Assignment My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:01 AM
MSA-13-0019: Unauthorised settings editing through WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0018: Personal information leak through repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0017: Form manipulation issue in notes My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0016: External Entity Injection through Zend library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0015: Cross-site scripting issue in Filepicker My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0014: Password revealed in WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0013: Server information revealed through exception messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0012: Information leak in course profiles My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0011: Calendar subscription capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:45 PM
MSA-13-0010: Failure to check capabilities in calendar My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:05 AM
MSA-13-0009: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:04 AM
MSA-13-0008: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:03 AM
MSA-13-0007: Potential exploit in messaging My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:59 AM
Page:  1  2  3  4  ()