Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security

Showing 100 of 419 discussions
  Discussion Started by Replies Last post Created  
MSA-13-0024: Form filtering issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, May 21, 2013, 8:13 AM
MSA-13-0023: Permission issue in blog comments
Picture of Michael de Raadt Michael de Raadt
0 Tue, May 21, 2013, 8:11 AM
MSA-13-0022: Information leak in hub registration
Picture of Michael de Raadt Michael de Raadt
0 Tue, May 21, 2013, 8:09 AM
MSA-13-0021: Potential information leak in Gradebook
Picture of Michael de Raadt Michael de Raadt
0 Tue, May 21, 2013, 8:06 AM
MSA-13-0020: Capability issue in Assignment
Picture of Michael de Raadt Michael de Raadt
0 Tue, May 21, 2013, 8:01 AM
MSA-13-0019: Unauthorised settings editing through WebDav repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:43 PM
MSA-13-0018: Personal information leak through repositories
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:39 PM
MSA-13-0017: Form manipulation issue in notes
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:38 PM
MSA-13-0016: External Entity Injection through Zend library
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:36 PM
MSA-13-0015: Cross-site scripting issue in Filepicker
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:31 PM
MSA-13-0014: Password revealed in WebDav repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:30 PM
MSA-13-0013: Server information revealed through exception messages
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:29 PM
MSA-13-0012: Information leak in course profiles
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:25 PM
MSA-13-0011: Calendar subscription capability issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 25, 2013, 1:14 PM
MSA-13-0010: Failure to check capabilities in calendar
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 10:03 AM
MSA-13-0009: Information leak through Blog RSS
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 10:01 AM
MSA-13-0008: Information leak through Blog RSS
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 10:00 AM
MSA-13-0007: Potential exploit in messaging
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:59 AM
MSA-13-0006: Potential information leak in Assignment module
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:57 AM
MSA-13-0005: Potential phishing attack through URL redirects
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:56 AM
MSA-13-0004: Information leak through activity report
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:54 AM
MSA-13-0003: Potential server file access through backup restoration
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:53 AM
MSA-13-0002: Capability issue with Outcome editing
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:50 AM
MSA-13-0001: Security issue in Google Spellchecker in TinyMCE
Picture of Michael de Raadt Michael de Raadt
0 Mon, Jan 21, 2013, 9:46 AM
MSA-12-0063: Information leak in Check Permissions page
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:29 AM
MSA-12-0062: Information leak in Database activity module
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:27 AM
MSA-12-0061: Remote code execution through Portfolio API
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:24 AM
MSA-12-0060: Cross-site scripting vulnerability in YUI2
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:22 AM
MSA-12-0059: Information leak in Database activity module
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:20 AM
MSA-12-0058: Possible form data manipulation issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:19 AM
MSA-12-0057: Access issue through repository
Picture of Michael de Raadt Michael de Raadt
0 Mon, Nov 19, 2012, 8:17 AM
MSA-12-0056: Information leak in drag-and-drop
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:58 AM
MSA-12-0055: Web service access token issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:57 AM
MSA-12-0054: Course reset permission issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:56 AM
MSA-12-0053: Blog file access issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:54 AM
MSA-12-0052: Course topics permission issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:53 AM
MSA-12-0051: File upload size constraint issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Sep 17, 2012, 11:51 AM
MSA-12-0050: Potential DOS attack through database activity
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:31 AM
MSA-12-0049: Group restricted activity displayed to all users
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:29 AM
MSA-12-0048: Possible XSS in cohort administration
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:27 AM
MSA-12-0047: SQL injection potential in Feedback module
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:25 AM
MSA-12-0046: Insecure protocol redirection in LDAP authentication
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:24 AM
MSA-12-0045: Injection potential in admin for repositories
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:22 AM
MSA-12-0044: Capability check issue in forum subscriptions
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:20 AM
MSA-12-0043: Early information access issue in forum
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:18 AM
MSA-12-0042: File access issue in blocks
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:16 AM
MSA-12-0041: XSS issue in LTI module
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:14 AM
MSA-12-0040: Capabilities issue through caching
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:13 AM
MSA-12-0039: File upload validation issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jul 17, 2012, 8:11 AM
MSA-12-0038: Calendar event write permission issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:55 PM
MSA-12-0037: Write access issue in Database activity module
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:54 PM
MSA-12-0036: Cross-site scripting vulnerability in category identifier
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:52 PM
MSA-12-0035: Cross-site scripting vulnerability in "download all"
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:50 PM
MSA-12-0034: Potential SQL injection issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:48 PM
MSA-12-0033: Cross-site scripting vulnerability in Blog
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:47 PM
MSA-12-0032: Cross-site scripting vulnerability in Web services
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:45 PM
MSA-12-0031: Cross-site scripting vulnerability in Wiki
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:43 PM
MSA-12-0030: Capability manipulation issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:38 PM
MSA-12-0029: Information editing access issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:36 PM
MSA-12-0028: Insecure authentication issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:34 PM
MSA-12-0027: Question bank capability issues
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:32 PM
MSA-12-0026: Quiz capability issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:30 PM
MSA-12-0025: Personal communication access issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:20 PM
MSA-12-0024: Hidden information access issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, May 21, 2012, 2:18 PM
MSA-12-0023: External enrolment plugin context check issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:57 PM
MSA-12-0022: Security conflict in Web services
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:56 PM
MSA-12-0021: Course information leak through tags
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:54 PM
MSA-12-0020: Forum subscription permission issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:53 PM
MSA-12-0019: Overview report and hidden course issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:51 PM
MSA-12-0018: Course information leak in Gradebook export
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:49 PM
MSA-12-0017: Personal information leak issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:47 PM
MSA-12-0016: Default repository capabilities issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:45 PM
MSA-12-0015: Backup and private files issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:42 PM
MSA-12-0014: Password and Web services issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:41 PM
MSA-12-0013: Database activity export permission issue
Picture of Michael de Raadt Michael de Raadt
0 Mon, Mar 19, 2012, 1:33 PM
MSA-12-0012: Form validation issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:21 AM
MSA-12-0011: Browser autofill password issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:19 AM
MSA-12-0010: Unauthorised access to session key
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:18 AM
MSA-12-0009: Role access issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:14 AM
MSA-12-0008: Unsynchronised access via tokens
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:12 AM
MSA-12-0007: Email injection prevention
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:11 AM
MSA-12-0006: Additional email address validation
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:09 AM
MSA-12-0005: Encryption enhancement
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:07 AM
MSA-12-0004: Added profile image security
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:05 AM
MSA-12-0003: Added password protection
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:04 AM
MSA-12-0002: Personal information leak
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 10:01 AM
MSA-12-0001: Recaptcha transmission consistency issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Jan 17, 2012, 9:45 AM
MSA-11-0054: Personal information leak
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 4:11 PM
MSA-11-0053: Security and system administration conflict
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 4:09 PM
MSA-11-0052: Potential to exploit developer debugging scripts
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 4:06 PM
MSA-11-0051: Authentication issue with Web services
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 4:04 PM
MSA-11-0050: Backup capability issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 4:01 PM
MSA-11-0049: Network restriction ineffective with MNet
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:49 PM
MSA-11-0048: Password loss issue
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:45 PM
MSA-11-0047: Possible injection attack in Calendar
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:43 PM
MSA-11-0046: Insecure authentication transmission
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:39 PM
MSA-11-0045: Potential to masquerade through MNet
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:35 PM
MSA-11-0044: Expired identification information shown in Web services
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:30 PM
MSA-11-0043: Possible link redirect in Calendar
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:28 PM
MSA-11-0042: Information leak in Wiki
Picture of Michael de Raadt Michael de Raadt
0 Tue, Dec 6, 2011, 3:25 PM