Security announcements

The best way to keep track of the recent security issues and get the latest information is to register your Moodle site with moodle.org.

By registering your Moodle site, your email address is added to the low-volume mailing list for important and most up-to-date information, including new and point releases and notifications such as security alerts.

We highly recommend you register your site.

Otherwise, after each release, all important security issues are published in this forum, which you can subscribe to (moodle.org account required).

Please note that if you subscribe to the security forum and Twitter options, there will be a delay of up to one week until the information becomes available.

Documentation: Security

Showing 100 of 419 discussions
  Discussion Started by Replies Last post Created  
MSA-08-0002: register_globals=on not supported
Picture of Petr Skoda Petr Skoda
1 Sat, Jan 12, 2008, 8:40 AM
MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course
Picture of Michael Hawkins Michael Hawkins
1 Mon, Sep 16, 2019, 4:09 PM
MSA-08-0001: Access elevation in user edit form
Picture of Petr Skoda Petr Skoda
0 Sat, Jan 12, 2008, 8:59 AM
MSA-08-0003: Insufficient access control in Login as feature
Picture of Petr Skoda Petr Skoda
0 Sat, Jan 12, 2008, 9:03 AM
MSA-08-0004: XSS in install.php before installation
Picture of Petr Skoda Petr Skoda
0 Thu, Jan 17, 2008, 9:02 PM
MSA-08-0005: Bypassing restriction on multiple file uploads
Picture of Petr Skoda Petr Skoda
0 Sat, Jan 19, 2008, 1:31 AM
MSA-08-0006: Moodle cookie path can not be restricted
Picture of Petr Skoda Petr Skoda
0 Sat, Jan 19, 2008, 1:44 AM
MSA-08-0007: imported phpMyAdmin 2.11.5.1
Picture of Petr Skoda Petr Skoda
0 Mon, Mar 31, 2008, 3:07 PM
MSA-08-0008: KSES related issues
Picture of Petr Skoda Petr Skoda
0 Wed, Apr 16, 2008, 5:43 AM
MSA-08-0009: Persistent Cross-site Scripting (XSS) on blog entry title parameter
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:10 PM
MSA-08-0010: sql injection in HotPot module
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:13 PM
MSA-08-0011: Potential webroot disclosures warning
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:15 PM
MSA-08-0012: Potential non-persistent XSS when searching for group members (MSSQL and Oracle only)
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:18 PM
MSA-08-0013: CSRF (Cross-site Request Forgery) on Moodle edit profile page
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:20 PM
MSA-08-0014: potential sql injection in events handling code
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:22 PM
MSA-08-0015: accessible profiles of deleted users
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:25 PM
MSA-08-0016: Email could be changed in profile without confirmation
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 2:29 PM
MSA-08-0017: customised PhpMyAdmin upgraded to 2.11.7.1
Picture of Petr Skoda Petr Skoda
0 Wed, Jul 16, 2008, 3:21 PM
MSA-08-0018: customised PhpMyAdmin package upgraded to 2.11.8.1
Picture of Petr Skoda Petr Skoda
0 Tue, Jul 29, 2008, 7:56 PM
MSA-08-0019: customised PhpMyAdmin package upgraded to 2.11.9.2
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:37 AM
MSA-08-0020: quiz/questions capabilities lack some risk flags in access.php files
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:40 AM
MSA-08-0021: design deficiency combined with incorrect use of format_string() allowing XSS
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:43 AM
MSA-08-0022: XSS through Wiki page titles
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:46 AM
MSA-08-0023: CSRF in messaging setting
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:48 AM
MSA-08-0024: Overriding of frozen values in Moodle forms
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:50 AM
MSA-08-0025: SQL injection in tags code
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:52 AM
MSA-08-0026: customised HTML Purifier upgraded to 2.1.5
Picture of Petr Skoda Petr Skoda
0 Mon, Oct 20, 2008, 4:53 AM
MSA-08-0027: customised PhpMyAdmin package upgraded to 2.11.9.3
Picture of Petr Skoda Petr Skoda
0 Mon, Nov 3, 2008, 7:30 AM
MSA-08-0028: customised PhpMyAdmin package upgraded to 2.11.9.4
Picture of Petr Skoda Petr Skoda
0 Wed, Dec 10, 2008, 9:00 AM
MSA-09-0001: No way easy to remove pictures of deleted users
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 5:48 PM
MSA-09-0002: User pix disclosure
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 5:52 PM
MSA-09-0003: Vulnerability in Snoopy 1.2.3
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 5:58 PM
MSA-09-0004: XSS vulnerabilities in HTML blocks if "Login as" used
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 6:01 PM
MSA-09-0005: Moodle 'spell-check-logic.cgi' Insecure Temporary File Creation Vulnerability
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 6:03 PM
MSA-09-0006: Calendar export may allow brute force attacks
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 6:05 PM
MSA-09-0007: Missing input validation in logs allows potential XSS attacks
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 6:11 PM
MSA-09-0008: CSRF vulnerability in forum code
Picture of Petr Skoda Petr Skoda
0 Wed, Feb 4, 2009, 6:14 PM
Prevent profile spam on your Moodle site
Picture of Martin Dougiamas Martin Dougiamas
0 Tue, Feb 10, 2009, 12:31 PM
MSA-09-0009: TeX filter file disclosure
Picture of Petr Skoda Petr Skoda
0 Mon, Apr 13, 2009, 10:44 PM
MSA-09-0010: Unzip binary may create symbolic links pointing outside of dataroot on unix/linux servers
Picture of Petr Skoda Petr Skoda
0 Wed, May 20, 2009, 6:53 PM
MSA-09-0011: Glossary, database and forum ratings are not verified after submission
Picture of Petr Skoda Petr Skoda
0 Wed, May 20, 2009, 6:57 PM
MSA-09-0012: SQL injections when importing outcomes
Picture of Petr Skoda Petr Skoda
0 Wed, May 20, 2009, 7:00 PM
MSA-09-0013: Customised PhpMyAdmin upgraded to 2.11.9.5
Picture of Petr Skoda Petr Skoda
0 Wed, May 20, 2009, 7:05 PM
MSA-09-0014: mimeTeX vulnerabilities
Picture of Petr Skoda Petr Skoda
0 Mon, Jul 20, 2009, 2:04 AM
MSA-09-0015: Customised PhpMyAdmin upgraded to 2.11.9.6
Picture of Petr Skoda Petr Skoda
0 Thu, Oct 15, 2009, 2:12 AM
MSA-09-0016: Email not properly escaped on user edit page
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 3:41 AM
MSA-09-0017: Upgrade code in 1.9 does not escape tags properly
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 3:43 AM
MSA-09-0018: Incorrect escaping when updating first post in a single simple discussion forum type
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 3:46 AM
MSA-09-0019: SQL injection in update_record
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 3:49 AM
MSA-09-0020: Teachers can view students' grades in all courses in the overview report
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 3:52 AM
MSA-09-0021: Error in ADODB OCI8/MSSQL drivers allows SQL injection vulnerability
Picture of Petr Skoda Petr Skoda
0 Tue, Nov 3, 2009, 4:09 AM
MSA-09-0022: Multiple CSRF problems fixed
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:11 AM
MSA-09-0023: User account disclosure in LAMS module
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:15 AM
MSA-09-0024: Insufficient access control in glossary
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:18 AM
MSA-09-0025: Unneeded MD5 hashes removed from user table
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:22 AM
MSA-09-0026: Invalid application access control in MNET interface
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:27 AM
MSA-09-0027: Login information can be sent unsecured even when site is configured to use SSL for logins
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:32 AM
MSA-09-0028: Multiple backup/restore related issues
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:39 AM
MSA-09-0029: Multiple password related issues
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 3:44 AM
MSA-09-0030: New detection of insecure flash player plugins
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 4:58 AM
MSA-09-0031: SQL injection in SCORM module
Picture of Helen Foster Helen Foster
0 Wed, Dec 2, 2009, 5:01 AM
MSA-10-0001: Vulnerability in KSES text cleaning
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:31 PM
MSA-10-0002: XSS vulnerabilty in the phpcas module
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:33 PM
MSA-10-0003: Disclosure of full user names
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:35 PM
MSA-10-0004: Improved access control in course restore
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:37 PM
MSA-10-0005: Incorrect validation of forms data
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:40 PM
MSA-10-0006: SQL injection in Wiki module
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:45 PM
MSA-10-0007: Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:47 PM
MSA-10-0008: Persistent XSS when using Login-as feature
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:49 PM
MSA-10-0009: Session fixation prevention now turned on by default
Picture of Petr Skoda Petr Skoda
0 Wed, Mar 31, 2010, 8:51 PM
MSA-10-0010: Persistent Cross Site Scripting vulnerability in the MNET access control interface
Picture of Helen Foster Helen Foster
0 Thu, Jun 17, 2010, 6:16 PM
MSA-10-0011: Cross Site Scripting vulnerability in blog/index.php
Picture of Helen Foster Helen Foster
0 Thu, Jun 17, 2010, 6:20 PM
MSA-10-0012: KSES Security Filter Bypassing vulnerability
Picture of Helen Foster Helen Foster
0 Thu, Jun 17, 2010, 6:23 PM
MSA-10-0013: Potential Cross Site Request Forgery vulnerability in Quiz reports
Picture of Helen Foster Helen Foster
0 Thu, Jun 17, 2010, 6:27 PM
MSA-10-0014: Customised phpMyAdmin upgraded to 2.11.11
Picture of Petr Skoda Petr Skoda
0 Sun, Oct 24, 2010, 7:17 PM
MSA-10-0016: Multiple phpCAS library vulnerabilities
Picture of Helen Foster Helen Foster
0 Mon, Oct 25, 2010, 7:20 PM
MSA-10-0015: Customised HTML Purifier upgraded to 4.2.0
Picture of Helen Foster Helen Foster
0 Mon, Oct 25, 2010, 7:25 PM
MSA-10-0017: XSS vulnerability in YUI 2.4.0 through YUI 2.8.1
Picture of Petr Skoda Petr Skoda
0 Tue, Oct 26, 2010, 4:13 AM
MSA-10-0018: Customised phpMyAdmin upgraded to 2.11.11.1 and 3.3.8.1
Picture of Petr Skoda Petr Skoda
0 Sat, Dec 18, 2010, 4:59 AM
MSA-11-0001: Customised phpMyAdmin upgraded to 2.11.11.3 and 3.3.9.2
Picture of Petr Skoda Petr Skoda
0 Mon, Feb 21, 2011, 5:00 PM
MSA-11-0002: Cross-site request forgery vulnerability in RSS block
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:13 PM
MSA-11-0003: Cross-site scripting vulnerability in tag autocomplete
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:16 PM
MSA-11-0004: $CFG->forceloginforprofiles setting ignored in course profiles
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:20 PM
MSA-11-0005: Cross-site scripting vulnerability in spikephpcoverage
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:29 PM
MSA-11-0006: Cross-site request forgery and missing access control in course completion
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:35 PM
MSA-11-0007: Cross-site scripting vulnerability in course tags
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:51 PM
MSA-11-0008: IMS enterprise enrolment file may disclose sensitive information
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:54 PM
MSA-11-0009: My profile block may disclose private information if used in user context
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 10:57 PM
MSA-11-0010: Incorrect default for mod:course/delete capability in teacher role
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 11:10 PM
MSA-11-0011: Multiple cross-site scripting problems in media filter
Picture of Helen Foster Helen Foster
0 Tue, Mar 1, 2011, 11:12 PM
MSA-11-0012: Authentication issue
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 3:44 PM
MSA-11-0013: Group/Quiz permissions issue
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 3:52 PM
MSA-11-0014: Personal details displayed without permission
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 3:57 PM
MSA-11-0015: Cross Site Scripting through URL encoding
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 4:01 PM
MSA-11-0016: Ability to fill a database with invalid records through ratings
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 4:05 PM
MSA-11-0017: Ability to generate invalid records in the comments table in the database
Picture of Helen Foster Helen Foster
0 Wed, May 18, 2011, 4:07 PM
MSA-11-0018: Lacking capability controls over cohorts
Picture of Michael de Raadt Michael de Raadt
0 Mon, Aug 8, 2011, 3:59 PM
MSA-11-0019: Themes writing to files outside Moodle data directory
Picture of Michael de Raadt Michael de Raadt
0 Mon, Aug 8, 2011, 4:04 PM
MSA-11-0020: Continue links in error messages can lead offsite
Picture of Michael de Raadt Michael de Raadt
0 Mon, Aug 8, 2011, 4:08 PM
MSA-11-0021: Role assignment web service function not following restrictions
Picture of Michael de Raadt Michael de Raadt
0 Mon, Aug 8, 2011, 4:13 PM