Security Announcements

 

Moodle Security Procedures

We treat security issues in Moodle software very seriously. Even though we dedicate a lot of time designing our code to avoid such problems, it is inevitable in a project of this size that new vulnerabilities will occasionally be discovered.

We practice responsible disclosure, which means we have a policy of disclosing all security issues that come to our attention, but only after we have solved the issue and given registered Moodle sites some time to upgrade or patch their installations.

We welcome reports of security issues and will work with reporters to fix problems and publicise patches to Moodle users as quickly as possible.


How can I report a security issue?

Please "Create a new issue" in the Moodle Tracker. Bugs classified as a "Serious security issue" will be hidden from the general public until the security team is able to resolve it and publish fixes to registered Moodle sites (see below).

How can I keep my site secure?

It's good practice to always use the latest stable release of the version you are using. It is very safe to upgrade from 2.3.1 to 2.3.2+, for example, at any time. Git is a very easy way to do this.

How can I keep track of recent security issues?

  1. Register your Moodle site with moodle.org (visit admin/index.php in your installation to see the registration button), making sure to enable the option of being notified about security issues and updates. After your registration is accepted, your email address will be automatically added to our low-volume security alerts mailing list.
  2. Eventually, all important security issues are published to the general public via the forum on this page. You can subscribe to the RSS feed on this page to automatically add new issues in your favourite feed reader or portal. (Please note that security alerts prior to 2008 were made on a different site and do not appear here.) You can also follow moodlesecurity on Twitter.

See also


Page:  1  2  3  ()
DiscussionStarted byRepliesLast post
MSA-14-0013: Unfiltered data used in Assignment web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:52 AM
MSA-14-0008: Cross site scripting potential in Flowplayer My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0004: Incorrect filtering in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 24, 2014, 8:51 AM
MSA-14-0012: Access issue in Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:52 AM
MSA-14-0011: Cross site request forgery potential in IMS enrolments My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:51 AM
MSA-14-0010: Identity information leak in Alfresco Repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:48 AM
MSA-14-0009: Identity information leak in Forum and Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:47 AM
MSA-14-0007: Access issue in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:43 AM
MSA-14-0006: Capability issue in Chat My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:40 AM
MSA-14-0005: Access issue in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:39 AM
MSA-14-0003: Cross-site request forgery vulnerability in profile fields My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 17, 2014, 9:36 AM
MSA-14-0002: Group constraints lacking in "login as" My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:49 AM
MSA-14-0001: Config passwords visibility issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 20, 2014, 8:48 AM
MSA-13-0040: Cross site scripting vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:44 AM
MSA-13-0039: Cross site scripting in Quiz My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:35 AM
MSA-13-0038: Access to server files through repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:33 AM
MSA-13-0037: Cross site scripting in Messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:31 AM
MSA-13-0036: Incorrect headers sent for secured resources My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 25, 2013, 8:29 AM
MSA-13-0035: Inadequate filtering in Blog My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0034: Object injection through Badges My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 23, 2013, 4:17 PM
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:38 AM
MSA-13-0032: Host verification failure in Amazon S3 repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 16, 2013, 9:36 AM
MSA-13-0031: Personal information leak in Feedback activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:29 AM
MSA-13-0030: Information leak through RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:26 AM
MSA-13-0029: XSS risk in conditional activities My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:24 AM
MSA-13-0028: Answer information revealed in Lesson activity My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:22 AM
MSA-13-0027: Access issue in Chat module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0026: Personal information leak in IMS-LTI My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:19 AM
MSA-13-0025: XSS vulnerability in YUI library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jul 15, 2013, 9:08 AM
MSA-13-0024: Form filtering issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:13 AM
MSA-13-0023: Permission issue in blog comments My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:11 AM
MSA-13-0022: Information leak in hub registration My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:09 AM
MSA-13-0021: Potential information leak in Gradebook My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:06 AM
MSA-13-0020: Capability issue in Assignment My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, May 21, 2013, 8:01 AM
MSA-13-0019: Unauthorised settings editing through WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0018: Personal information leak through repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:49 PM
MSA-13-0017: Form manipulation issue in notes My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0016: External Entity Injection through Zend library My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:48 PM
MSA-13-0015: Cross-site scripting issue in Filepicker My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0014: Password revealed in WebDav repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:47 PM
MSA-13-0013: Server information revealed through exception messages My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0012: Information leak in course profiles My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:46 PM
MSA-13-0011: Calendar subscription capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 25, 2013, 1:45 PM
MSA-13-0010: Failure to check capabilities in calendar My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:05 AM
MSA-13-0009: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:04 AM
MSA-13-0008: Information leak through Blog RSS My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 10:03 AM
MSA-13-0007: Potential exploit in messaging My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:59 AM
MSA-13-0006: Potential information leak in Assignment module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:57 AM
MSA-13-0005: Potential phishing attack through URL redirects My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:56 AM
MSA-13-0004: Information leak through activity report My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:54 AM
MSA-13-0003: Potential server file access through backup restoration My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:53 AM
MSA-13-0002: Capability issue with Outcome editing My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:50 AM
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Jan 21, 2013, 9:46 AM
MSA-12-0063: Information leak in Check Permissions page My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:29 AM
MSA-12-0062: Information leak in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:27 AM
MSA-12-0061: Remote code execution through Portfolio API My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:24 AM
MSA-12-0060: Cross-site scripting vulnerability in YUI2 My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:22 AM
MSA-12-0059: Information leak in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:20 AM
MSA-12-0058: Possible form data manipulation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:19 AM
MSA-12-0057: Access issue through repository My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Nov 19, 2012, 8:17 AM
MSA-12-0056: Information leak in drag-and-drop My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:58 AM
MSA-12-0055: Web service access token issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:57 AM
MSA-12-0054: Course reset permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:56 AM
MSA-12-0053: Blog file access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:54 AM
MSA-12-0052: Course topics permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:53 AM
MSA-12-0051: File upload size constraint issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Sep 17, 2012, 11:51 AM
MSA-12-0050: Potential DOS attack through database activity My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0049: Group restricted activity displayed to all users My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0048: Possible XSS in cohort administration My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0047: SQL injection potential in Feedback module My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:44 AM
MSA-12-0046: Insecure protocol redirection in LDAP authentication My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:43 AM
MSA-12-0045: Injection potential in admin for repositories My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:22 AM
MSA-12-0044: Capability check issue in forum subscriptions My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:20 AM
MSA-12-0043: Early information access issue in forum My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:18 AM
MSA-12-0042: File access issue in blocks My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:18 AM
MSA-12-0041: XSS issue in LTI module My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:14 AM
MSA-12-0040: Capabilities issue through caching My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:13 AM
MSA-12-0039: File upload validation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Tue, Jul 17, 2012, 8:11 AM
MSA-12-0038: Calendar event write permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:55 PM
MSA-12-0037: Write access issue in Database activity module My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:54 PM
MSA-12-0036: Cross-site scripting vulnerability in category identifier My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:52 PM
MSA-12-0035: Cross-site scripting vulnerability in "download all" My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:50 PM
MSA-12-0034: Potential SQL injection issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:48 PM
MSA-12-0033: Cross-site scripting vulnerability in Blog My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:47 PM
MSA-12-0032: Cross-site scripting vulnerability in Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:45 PM
MSA-12-0031: Cross-site scripting vulnerability in Wiki My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:43 PM
MSA-12-0030: Capability manipulation issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:38 PM
MSA-12-0029: Information editing access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:36 PM
MSA-12-0028: Insecure authentication issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:34 PM
MSA-12-0027: Question bank capability issues My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:32 PM
MSA-12-0026: Quiz capability issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:30 PM
MSA-12-0025: Personal communication access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:20 PM
MSA-12-0024: Hidden information access issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, May 21, 2012, 2:19 PM
MSA-12-0023: External enrolment plugin context check issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:57 PM
MSA-12-0022: Security conflict in Web services My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:56 PM
MSA-12-0021: Course information leak through tags My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:54 PM
MSA-12-0020: Forum subscription permission issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:53 PM
MSA-12-0019: Overview report and hidden course issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:51 PM
MSA-12-0018: Course information leak in Gradebook export My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:49 PM
MSA-12-0017: Personal information leak issue My ugly mug Michael de Raadt 0 Michael de Raadt
Mon, Mar 19, 2012, 1:47 PM
Page:  1  2  3  ()