Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security

Showing 100 of 419 discussions
  Discussion Started by Replies Last post Created  
MSA-15-0035: Rating component does not check separate groups
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:45 AM
MSA-15-0034: Vulnerability in password recovery mechanism
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:44 AM
MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:43 AM
MSA-15-0032: Users can delete files uploaded by other users in wiki
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:42 AM
MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:38 AM
MSA-15-0030: Students can re-attempt answering questions in the lesson
Picture of Marina Glancy Marina Glancy
0 Mon, Sep 21, 2015, 9:36 AM
MSA-15-0029: Javascript injection in SCORM module
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 13, 2015, 8:31 AM
MSA-15-0028: Possible XSS through custom text profile fields in Web Services
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 13, 2015, 8:29 AM
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 13, 2015, 8:28 AM
MSA-15-0026: Possible phishing when redirecting to external site using referer header
Picture of Marina Glancy Marina Glancy
0 Mon, Jul 13, 2015, 8:27 AM
MSA-15-0025: Capability to manage own files is not respected in Web Services
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:05 AM
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:04 AM
MSA-15-0023: Suspended user is able to login when confirming email
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:03 AM
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:02 AM
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:01 AM
MSA-15-0020: User fullname disclosure through account confirmation link
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 9:00 AM
MSA-15-0019: Possible phishing when redirecting to external site using referer header
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 8:59 AM
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that
Picture of Marina Glancy Marina Glancy
0 Mon, May 18, 2015, 8:54 AM
MSA-15-0017: XSS in quiz statistics report
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:08 AM
MSA-15-0016: Web services token can be created for user with temporary password
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:08 AM
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:07 AM
MSA-15-0014: Potential information disclosure for the inaccessible courses
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:06 AM
MSA-15-0013: Block title not properly escaped and may cause HTML injection
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:06 AM
MSA-15-0012: ReDoS Possible with Convert links to URLs filter
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:05 AM
MSA-15-0011: Authentication in mdeploy can be bypassed
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:04 AM
MSA-15-0010: Personal contacts and number of unread messages can be revealed
Picture of Marina Glancy Marina Glancy
0 Mon, Mar 16, 2015, 11:03 AM
MSA-15-0009: Directory Traversal Attack possible through some files serving JS
Picture of Marina Glancy Marina Glancy
0 Mon, Feb 9, 2015, 9:59 AM
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 10:02 AM
MSA-15-0007: ReDoS possible in the multimedia filter
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 10:01 AM
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 10:00 AM
MSA-15-0005: Insufficient access check in calendar functions in web-services
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 9:59 AM
MSA-15-0004: Information leak through messaging functions in web-services
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 9:58 AM
MSA-15-0003: CSRF possible in Glossary module
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 9:56 AM
MSA-15-0002: XSS vulnerability in course request pending approval page
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 9:55 AM
MSA-15-0001: Insufficient access check in LTI module
Picture of Marina Glancy Marina Glancy
0 Mon, Jan 19, 2015, 9:52 AM
MSA-14-0049: Possible to print arbitrary message to user by modifying URL
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:28 PM
MSA-14-0048: CSRF in forum tracking toggle
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:27 PM
MSA-14-0047: Possible data loss in Wiki activity
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:26 PM
MSA-14-0046: CSRF in LTI module
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:25 PM
MSA-14-0045: XSS file upload possible through web service
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:25 PM
MSA-14-0044: Hardware path disclosed in the error message
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:24 PM
MSA-14-0043: Lack of group check in web service for Forum
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:23 PM
MSA-14-0042: Lack of access check in IP lookup functionality
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:22 PM
MSA-14-0041: Lack of capability check in tags list access
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:21 PM
MSA-14-0040: Information leak in Database activity module
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:10 PM
MSA-14-0039: Insufficient access check in LTI module
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:09 PM
MSA-14-0038: Hidden grade information exposed by web services
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:08 PM
MSA-14-0037: Weak temporary password generation
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 12:07 PM
MSA-14-0036: XSS in mapcourse script in Feedback module
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 10:37 AM
MSA-14-0035: Headers not added to some AJAX scripts
Picture of Marina Glancy Marina Glancy
0 Mon, Nov 17, 2014, 10:33 AM
MSA-14-0034: Identity information revealed early in Q&A forum
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 15, 2014, 8:29 AM
MSA-14-0033: URL parameter injection in CAS authentication
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 15, 2014, 8:28 AM
MSA-14-0032: Cross-site scripting in advanced grading methods
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 10:02 AM
MSA-14-0031: Cross-site scripting though scheduled task error messages
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 10:00 AM
MSA-14-0030: Cross-site scripting through logs of failed logins
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:59 AM
MSA-14-0029: Cross-site scripting vulnerability in exception dialogues
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:58 AM
MSA-14-0028: Cross-site scripting possible in external badges
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:56 AM
MSA-14-0027: Forum group posting issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:55 AM
MSA-14-0026: Information leak in profile and notes pages
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:52 AM
MSA-14-0025: Remote code execution in Quiz
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:51 AM
MSA-14-0024: Cross-site scripting vulnerability in profile field
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:48 AM
MSA-14-0023: XML External Entity vulnerability in IMSCC and IMSCP
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:45 AM
MSA-14-0022: XML External Entity vulnerability in LTI module
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:43 AM
MSA-14-0021: Code injection in Repositories
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:42 AM
MSA-14-0020: Identity confusion in Shibboleth authentication
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 21, 2014, 9:40 AM
MSA-14-0019: Reflected XSS in URL downloader repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:31 AM
MSA-14-0018: Information leak in courses
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:29 AM
MSA-14-0017: File access issue in HTML block
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:27 AM
MSA-14-0016: Anonymous student identity revealed in assignment
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:26 AM
MSA-14-0015: Web service token expiry issue for MoodleMobile
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:24 AM
MSA-14-0014: Cross-site request forgery possible in Assignment
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 19, 2014, 9:22 AM
MSA-14-0013: Unfiltered data used in Assignment web services
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:54 AM
MSA-14-0008: Cross site scripting potential in Flowplayer
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:44 AM
MSA-14-0004: Incorrect filtering in Quiz
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:31 AM
MSA-14-0012: Access issue in Badges
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:52 AM
MSA-14-0011: Cross site request forgery potential in IMS enrolments
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:51 AM
MSA-14-0010: Identity information leak in Alfresco Repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:48 AM
MSA-14-0009: Identity information leak in Forum and Quiz
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:47 AM
MSA-14-0007: Access issue in Wiki
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:43 AM
MSA-14-0006: Capability issue in Chat
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:40 AM
MSA-14-0005: Access issue in Feedback activity
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 17, 2014, 9:39 AM
MSA-14-0003: Cross-site request forgery vulnerability in profile fields
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 20, 2014, 8:51 AM
MSA-14-0002: Group constraints lacking in "login as"
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 20, 2014, 8:49 AM
MSA-14-0001: Config passwords visibility issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 20, 2014, 8:48 AM
MSA-13-0040: Cross site scripting vulnerability in YUI library
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 25, 2013, 8:38 AM
MSA-13-0039: Cross site scripting in Quiz
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 25, 2013, 8:35 AM
MSA-13-0038: Access to server files through repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 25, 2013, 8:33 AM
MSA-13-0037: Cross site scripting in Messages
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 25, 2013, 8:31 AM
MSA-13-0036: Incorrect headers sent for secured resources
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 25, 2013, 8:28 AM
MSA-13-0035: Inadequate filtering in Blog
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 16, 2013, 9:41 AM
MSA-13-0034: Object injection through Badges
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 16, 2013, 9:39 AM
MSA-13-0033: Potential SQL injection in Moodle's SQL Server driver
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 16, 2013, 9:38 AM
MSA-13-0032: Host verification failure in Amazon S3 repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 16, 2013, 9:36 AM
MSA-13-0031: Personal information leak in Feedback activity
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:29 AM
MSA-13-0030: Information leak through RSS
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:26 AM
MSA-13-0029: XSS risk in conditional activities
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:24 AM
MSA-13-0028: Answer information revealed in Lesson activity
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:22 AM
MSA-13-0027: Access issue in Chat module
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:17 AM
MSA-13-0026: Personal information leak in IMS-LTI
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:14 AM
MSA-13-0025: XSS vulnerability in YUI library
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jul 15, 2013, 9:08 AM