Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required). You can also follow moodlesecurity on Twitter, which will be updated as much as possible.

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security


Page: 1 2 3 4 ()
DiscussionStarted byRepliesLast post
MSA-18-0012: Portfolio script allows instantiation of class chosen by user 0 Marina Glancy
Fri, 25 May 2018, 1:57 PM
MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access 0 Marina Glancy
Fri, 25 May 2018, 1:56 PM
MSA-18-0010: User can shift a block from Dashboard to any page 0 Marina Glancy
Fri, 25 May 2018, 1:54 PM
MSA-18-0009: Portfolio forum caller class allows a user to download any file 0 Marina Glancy
Fri, 25 May 2018, 1:53 PM
MSA-18-0008: Users can download any file via portfolio assignment caller class 0 Marina Glancy
Fri, 25 May 2018, 1:53 PM
MSA-18-0007: Calculated question type allows remote code execution by Question authors 0 Marina Glancy
Fri, 25 May 2018, 1:51 PM
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site 0 Marina Glancy
Mon, 26 Mar 2018, 2:53 PM
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script 0 Marina Glancy
Mon, 26 Mar 2018, 2:52 PM
MSA-18-0004: XSS in calendar event name 0 Marina Glancy
Mon, 22 Jan 2018, 2:23 PM
MSA-18-0003: Privilege escalation in quiz web services 0 Marina Glancy
Mon, 22 Jan 2018, 2:22 PM
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames 0 Marina Glancy
Mon, 22 Jan 2018, 2:21 PM
MSA-18-0001: Server Side Request Forgery in the filepicker 0 Marina Glancy
Mon, 22 Jan 2018, 2:20 PM
MSA-17-0021: Students can find out email addresses of other students in the same course 0 Marina Glancy
Mon, 20 Nov 2017, 2:48 PM
MSA-17-0020: Admins may not know that exposing vendor directory is a security risk 0 Marina Glancy
Mon, 18 Sep 2017, 11:07 AM
MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course 0 Marina Glancy
Mon, 18 Sep 2017, 11:03 AM
MSA-17-0018: Course reports are not respecting group settings in courses 0 Marina Glancy
Mon, 18 Sep 2017, 11:02 AM
MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback 0 Marina Glancy
Mon, 18 Sep 2017, 11:01 AM
MSA-17-0016: Authentication bypass vulnerability with old CAS servers 0 Marina Glancy
Mon, 17 Jul 2017, 2:54 PM
MSA-17-0015: Course creators are able to change system default settings for courses 0 Marina Glancy
Mon, 17 Jul 2017, 2:53 PM
MSA-17-0014: Course overview block reveals activities in hidden courses 0 Marina Glancy
Mon, 17 Jul 2017, 2:53 PM
MSA-17-0006: User fullname disclosure on user preferences page 0 Marina Glancy
Mon, 17 Jul 2017, 2:52 PM
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services 0 Marina Glancy
Mon, 15 May 2017, 2:26 PM
MSA-17-0012: CSRF in number of courses displayed in the course overview block 0 Marina Glancy
Mon, 15 May 2017, 2:26 PM
MSA-17-0011: Searching of blogs possible without capability to do it 0 Marina Glancy
Mon, 15 May 2017, 2:25 PM
MSA-17-0010: External blog editing takeover 0 Marina Glancy
Mon, 15 May 2017, 2:25 PM
MSA-17-0009: XSS in attachments to evidence of prior learning 0 Marina Glancy
Mon, 20 Mar 2017, 1:08 PM
MSA-17-0008: XSS in evidence of prior learning 0 Marina Glancy
Mon, 20 Mar 2017, 1:07 PM
MSA-17-0007: Global search displays user names for unauthenticated users 0 Marina Glancy
Mon, 20 Mar 2017, 1:06 PM
MSA-17-0005: SQL injection via user preferences 0 Marina Glancy
Mon, 20 Mar 2017, 1:04 PM
MSA-17-0004: XSS in assignment submission page 0 Marina Glancy
Tue, 17 Jan 2017, 12:13 PM
MSA-17-0003: PHPMailer vulnerability in no-reply address 0 Marina Glancy
Tue, 17 Jan 2017, 12:12 PM
MSA-17-0002: Incorrect sanitation of attributes in forums 0 Marina Glancy
Tue, 17 Jan 2017, 12:12 PM
MSA-17-0001: System file inclusion when adding own preset file in Boost theme 0 Marina Glancy
Tue, 17 Jan 2017, 12:05 PM
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data. 0 Marina Glancy
Mon, 21 Nov 2016, 11:51 AM
MSA-16-0025: Capability to view course notes is checked in the wrong context 0 Marina Glancy
Mon, 21 Nov 2016, 11:49 AM
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services 0 Marina Glancy
Mon, 21 Nov 2016, 11:48 AM
MSA-16-0023: Question engine allows access to files that should not be available 0 Marina Glancy
Mon, 21 Nov 2016, 11:46 AM
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed 0 Marina Glancy
Mon, 12 Sep 2016, 9:58 AM
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course 0 Marina Glancy
Tue, 19 Jul 2016, 4:05 PM
MSA-16-0020: Text injection in email headers 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0019: Glossary search displays entries without checking user permissions to view them 0 Marina Glancy
Tue, 19 Jul 2016, 4:04 PM
MSA-16-0018: CSRF in script marking forum posts as read 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0017: Course idnumber not protected from teacher restore 0 Marina Glancy
Wed, 18 May 2016, 5:18 PM
MSA-16-0016: User can view badges of other users without proper permissions 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0015: Information disclosure of hidden forum names and sub-names. 0 Marina Glancy
Wed, 18 May 2016, 5:17 PM
MSA-16-0014 0 Marina Glancy
Tue, 17 May 2016, 1:57 PM
MSA-16-0013: Users are able to change profile fields that were locked by the administrator 0 Marina Glancy
Tue, 17 May 2016, 1:55 PM
MSA-16-0012: External function mod_assign_save_submission does not check due dates 0 Marina Glancy
Mon, 21 Mar 2016, 2:14 PM
MSA-16-0011: Add no referrer to links with _blank target attribute 0 Marina Glancy
Mon, 21 Mar 2016, 2:13 PM
MSA-16-0010: Enumeration of category details possible without authentication 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0009: CSRF in Assignment plugin management page 0 Marina Glancy
Mon, 21 Mar 2016, 2:12 PM
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View 0 Marina Glancy
Mon, 21 Mar 2016, 2:11 PM
MSA-16-0006: Hidden courses are shown to students in Event Monitor 0 Marina Glancy
Mon, 21 Mar 2016, 2:10 PM
MSA-16-0005: Reflected XSS in mod_data advanced search 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0004: XSS from profile fields from external db 0 Marina Glancy
Mon, 21 Mar 2016, 2:09 PM
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list 0 Marina Glancy
Mon, 21 Mar 2016, 2:08 PM
MSA-16-0002: XSS Vulnerability in course management search 0 Marina Glancy
Mon, 18 Jan 2016, 11:50 AM
MSA-16-0001: Two enrolment-related web services don't check course visibility 0 Marina Glancy
Mon, 18 Jan 2016, 11:49 AM
MSA-15-0046: Choice module closing date can be bypassed 0 Marina Glancy
Mon, 16 Nov 2015, 12:31 PM
MSA-15-0045: SCORM module allows to bypass access restrictions based on date 0 Marina Glancy
Mon, 16 Nov 2015, 12:28 PM
MSA-15-0044: Capability to view available badges is not respected 0 Marina Glancy
Mon, 16 Nov 2015, 12:27 PM
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode 0 Marina Glancy
Mon, 16 Nov 2015, 12:25 PM
MSA-15-0042: CSRF in lesson login form 0 Marina Glancy
Mon, 16 Nov 2015, 12:22 PM
MSA-15-0041: XSS in flash video player 0 Marina Glancy
Mon, 16 Nov 2015, 12:21 PM
MSA-15-0040: Student XSS in survey 0 Marina Glancy
Mon, 16 Nov 2015, 12:20 PM
MSA-15-0039: CSRF in site registration form 0 Marina Glancy
Mon, 16 Nov 2015, 12:18 PM
MSA-15-0038: DDoS possibility in Atto 0 Marina Glancy
Mon, 16 Nov 2015, 12:15 PM
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts 0 Marina Glancy
Mon, 16 Nov 2015, 12:14 PM
MSA-15-0036: XSS in grouping description 0 Marina Glancy
Mon, 21 Sep 2015, 9:46 AM
MSA-15-0035: Rating component does not check separate groups 0 Marina Glancy
Mon, 21 Sep 2015, 9:45 AM
MSA-15-0034: Vulnerability in password recovery mechanism 0 Marina Glancy
Mon, 21 Sep 2015, 9:44 AM
MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time 0 Marina Glancy
Mon, 21 Sep 2015, 9:43 AM
MSA-15-0032: Users can delete files uploaded by other users in wiki 0 Marina Glancy
Mon, 21 Sep 2015, 9:42 AM
MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of 0 Marina Glancy
Mon, 21 Sep 2015, 9:38 AM
MSA-15-0030: Students can re-attempt answering questions in the lesson 0 Marina Glancy
Mon, 21 Sep 2015, 9:36 AM
MSA-15-0029: Javascript injection in SCORM module 0 Marina Glancy
Mon, 13 Jul 2015, 8:31 AM
MSA-15-0028: Possible XSS through custom text profile fields in Web Services 0 Marina Glancy
Mon, 13 Jul 2015, 8:29 AM
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum 0 Marina Glancy
Mon, 13 Jul 2015, 8:28 AM
MSA-15-0026: Possible phishing when redirecting to external site using referer header 0 Marina Glancy
Mon, 13 Jul 2015, 8:27 AM
MSA-15-0025: Capability to manage own files is not respected in Web Services 0 Marina Glancy
Mon, 18 May 2015, 9:05 AM
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree 0 Marina Glancy
Mon, 18 May 2015, 9:04 AM
MSA-15-0023: Suspended user is able to login when confirming email 0 Marina Glancy
Mon, 18 May 2015, 9:03 AM
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services 0 Marina Glancy
Mon, 18 May 2015, 9:02 AM
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules 0 Marina Glancy
Mon, 18 May 2015, 9:01 AM
MSA-15-0020: User fullname disclosure through account confirmation link 0 Marina Glancy
Mon, 18 May 2015, 9:00 AM
MSA-15-0019: Possible phishing when redirecting to external site using referer header 0 Marina Glancy
Mon, 18 May 2015, 8:59 AM
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that 0 Marina Glancy
Mon, 18 May 2015, 8:54 AM
MSA-15-0017: XSS in quiz statistics report 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0016: Web services token can be created for user with temporary password 0 Marina Glancy
Mon, 16 Mar 2015, 11:08 AM
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate 0 Marina Glancy
Mon, 16 Mar 2015, 11:07 AM
MSA-15-0014: Potential information disclosure for the inaccessible courses 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0013: Block title not properly escaped and may cause HTML injection 0 Marina Glancy
Mon, 16 Mar 2015, 11:06 AM
MSA-15-0012: ReDoS Possible with Convert links to URLs filter 0 Marina Glancy
Mon, 16 Mar 2015, 11:05 AM
MSA-15-0011: Authentication in mdeploy can be bypassed 0 Marina Glancy
Mon, 16 Mar 2015, 11:04 AM
MSA-15-0010: Personal contacts and number of unread messages can be revealed 0 Marina Glancy
Mon, 16 Mar 2015, 11:03 AM
MSA-15-0009: Directory Traversal Attack possible through some files serving JS 0 Marina Glancy
Tue, 10 Feb 2015, 10:13 AM
MSA-15-0008: Forced logout through Shibboleth authentication plugin 0 Marina Glancy
Mon, 19 Jan 2015, 10:02 AM
MSA-15-0007: ReDoS possible in the multimedia filter 0 Marina Glancy
Mon, 19 Jan 2015, 10:01 AM
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask 0 Marina Glancy
Mon, 19 Jan 2015, 10:00 AM
Page: 1 2 3 4 ()