Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security

Showing 100 of 419 discussions
  Discussion Started by Replies Last post Created  
MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:34 PM
MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:27 PM
MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:24 PM
MSA-19-0020: Python Machine Learning dependency versions bumped
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:15 PM
MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:09 PM
MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 16, 2019, 4:06 PM
MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)
Picture of Michael Hawkins Michael Hawkins
0 Tue, Jul 16, 2019, 11:57 AM
MSA-19-0016: Assignment group overrides did not observe separate groups mode
Picture of Michael Hawkins Michael Hawkins
0 Tue, Jul 16, 2019, 11:52 AM
MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups
Picture of Michael Hawkins Michael Hawkins
0 Tue, Jul 16, 2019, 11:49 AM
MSA-19-0014: Ability to delete glossary entries that belong to another glossary
Picture of Michael Hawkins Michael Hawkins
0 Tue, Jul 16, 2019, 11:47 AM
MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files
Picture of Michael Hawkins Michael Hawkins
0 Tue, Jul 16, 2019, 11:43 AM
MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions
Picture of Michael Hawkins Michael Hawkins
0 Mon, May 20, 2019, 2:46 PM
MSA-19-0011: Open redirect in upload cohorts page
Picture of Michael Hawkins Michael Hawkins
0 Mon, May 20, 2019, 2:44 PM
MSA-19-0010: All messaging conversations could be viewed
Picture of Michael Hawkins Michael Hawkins
0 Mon, May 20, 2019, 2:38 PM
MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:17 AM
MSA-19-0008: Secure layout contained an insecure link in Boost theme
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:16 AM
MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:15 AM
MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:14 AM
MSA-19-0005: Logged in users could view all calendar events
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:10 AM
MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users' Dashboards
Picture of Michael Hawkins Michael Hawkins
0 Tue, Mar 19, 2019, 11:06 AM
MSA-19-0003: User full name is not escaped in the un-linked userpix page
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jan 21, 2019, 12:17 PM
MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jan 21, 2019, 12:16 PM
MSA-19-0001: Manage groups capability is missing XSS risk flag
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jan 21, 2019, 12:14 PM
MSA-18-0020: Login CSRF vulnerability in login form
Picture of Michael Hawkins Michael Hawkins
0 Mon, Nov 19, 2018, 3:21 PM
MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 17, 2018, 12:16 PM
MSA-18-0018: QuickForm library remote code vulnerability (upstream)
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 17, 2018, 12:13 PM
MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution
Picture of Michael Hawkins Michael Hawkins
0 Mon, Sep 17, 2018, 12:10 PM
MSA-18-0016: Quiz question bank import preview could execute JavaScript
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jul 16, 2018, 3:18 PM
MSA-18-0015: Web service core_course_get_categories may return invisible categories
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jul 16, 2018, 3:15 PM
MSA-18-0014: Privacy data exports include log data
Picture of Michael Hawkins Michael Hawkins
0 Mon, Jul 16, 2018, 3:13 PM
MSA-18-0012: Portfolio script allows instantiation of class chosen by user
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:57 PM
MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:56 PM
MSA-18-0010: User can shift a block from Dashboard to any page
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:54 PM
MSA-18-0009: Portfolio forum caller class allows a user to download any file
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:53 PM
MSA-18-0008: Users can download any file via portfolio assignment caller class
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:53 PM
MSA-18-0007: Calculated question type allows remote code execution by Question authors
Picture of Marina Glancy Marina Glancy
0 Fri, May 25, 2018, 1:51 PM
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 26, 2018, 2:53 PM
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 26, 2018, 2:52 PM
MSA-18-0004: XSS in calendar event name
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 22, 2018, 2:23 PM
MSA-18-0003: Privilege escalation in quiz web services
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 22, 2018, 2:22 PM
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 22, 2018, 2:21 PM
MSA-18-0001: Server Side Request Forgery in the filepicker
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 22, 2018, 2:20 PM
MSA-17-0021: Students can find out email addresses of other students in the same course
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 20, 2017, 2:48 PM
MSA-17-0020: Admins may not know that exposing vendor directory is a security risk
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 18, 2017, 11:03 AM
MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 18, 2017, 11:03 AM
MSA-17-0018: Course reports are not respecting group settings in courses
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 18, 2017, 11:02 AM
MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 18, 2017, 11:01 AM
MSA-17-0016: Authentication bypass vulnerability with old CAS servers
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 17, 2017, 2:54 PM
MSA-17-0015: Course creators are able to change system default settings for courses
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 17, 2017, 2:53 PM
MSA-17-0014: Course overview block reveals activities in hidden courses
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 17, 2017, 2:53 PM
MSA-17-0006: User fullname disclosure on user preferences page
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 17, 2017, 2:52 PM
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services
Picture of Marina Glancy Marina Glancy
0 Mon, May 15, 2017, 2:24 PM
MSA-17-0012: CSRF in number of courses displayed in the course overview block
Picture of Marina Glancy Marina Glancy
0 Mon, May 15, 2017, 2:23 PM
MSA-17-0011: Searching of blogs possible without capability to do it
Picture of Marina Glancy Marina Glancy
0 Mon, May 15, 2017, 2:22 PM
MSA-17-0010: External blog editing takeover
Picture of Marina Glancy Marina Glancy
0 Mon, May 15, 2017, 2:20 PM
MSA-17-0009: XSS in attachments to evidence of prior learning
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 20, 2017, 1:08 PM
MSA-17-0008: XSS in evidence of prior learning
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 20, 2017, 1:07 PM
MSA-17-0007: Global search displays user names for unauthenticated users
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 20, 2017, 1:06 PM
MSA-17-0005: SQL injection via user preferences
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 20, 2017, 1:04 PM
MSA-17-0004: XSS in assignment submission page
Picture of Marina Glancy Marina Glancy
0 Tue, Jan 17, 2017, 12:07 PM
MSA-17-0003: PHPMailer vulnerability in no-reply address
Picture of Marina Glancy Marina Glancy
0 Tue, Jan 17, 2017, 12:06 PM
MSA-17-0002: Incorrect sanitation of attributes in forums
Picture of Marina Glancy Marina Glancy
0 Tue, Jan 17, 2017, 12:06 PM
MSA-17-0001: System file inclusion when adding own preset file in Boost theme
Picture of Marina Glancy Marina Glancy
0 Tue, Jan 17, 2017, 12:05 PM
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 21, 2016, 11:51 AM
MSA-16-0025: Capability to view course notes is checked in the wrong context
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 21, 2016, 11:49 AM
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 21, 2016, 11:48 AM
MSA-16-0023: Question engine allows access to files that should not be available
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 21, 2016, 11:46 AM
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 12, 2016, 9:58 AM
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
Picture of Marina Glancy Marina Glancy
0 Tue, Jul 19, 2016, 4:05 PM
MSA-16-0020: Text injection in email headers
Picture of Marina Glancy Marina Glancy
0 Tue, Jul 19, 2016, 4:04 PM
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
Picture of Marina Glancy Marina Glancy
0 Tue, Jul 19, 2016, 4:04 PM
MSA-16-0018: CSRF in script marking forum posts as read
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 2:00 PM
MSA-16-0017: Course idnumber not protected from teacher restore
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 1:59 PM
MSA-16-0016: User can view badges of other users without proper permissions
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 1:58 PM
MSA-16-0015: Information disclosure of hidden forum names and sub-names.
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 1:58 PM
MSA-16-0014
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 1:57 PM
MSA-16-0013: Users are able to change profile fields that were locked by the administrator
Picture of Marina Glancy Marina Glancy
0 Tue, May 17, 2016, 1:55 PM
MSA-16-0012: External function mod_assign_save_submission does not check due dates
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:14 PM
MSA-16-0011: Add no referrer to links with _blank target attribute
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:13 PM
MSA-16-0010: Enumeration of category details possible without authentication
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:12 PM
MSA-16-0009: CSRF in Assignment plugin management page
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:12 PM
MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:11 PM
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:11 PM
MSA-16-0006: Hidden courses are shown to students in Event Monitor
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:10 PM
MSA-16-0005: Reflected XSS in mod_data advanced search
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:09 PM
MSA-16-0004: XSS from profile fields from external db
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:09 PM
MSA-16-0003: Incorrect capability check when displaying users emails in Participants list
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 21, 2016, 2:08 PM
MSA-16-0002: XSS Vulnerability in course management search
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 18, 2016, 11:50 AM
MSA-16-0001: Two enrolment-related web services don't check course visibility
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 18, 2016, 11:49 AM
MSA-15-0046: Choice module closing date can be bypassed
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:31 PM
MSA-15-0045: SCORM module allows to bypass access restrictions based on date
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:28 PM
MSA-15-0044: Capability to view available badges is not respected
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:27 PM
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:25 PM
MSA-15-0042: CSRF in lesson login form
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:22 PM
MSA-15-0041: XSS in flash video player
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:21 PM
MSA-15-0040: Student XSS in survey
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:20 PM
MSA-15-0039: CSRF in site registration form
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:18 PM
MSA-15-0038: DDoS possibility in Atto
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:15 PM
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 16, 2015, 12:14 PM
MSA-15-0036: XSS in grouping description
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:46 AM