Security Announcements

Picture of Marina Glancy
MSA-17-0004: XSS in assignment submission page
 
Description: HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary: XSS in assignment submission page
Severity/Risk: Minor
Versions affected: 3.2 and 3.1 to 3.1.3
Versions fixed: 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a precaution)
Reported by: Ago Luberg and Wael AbuSeada
Issue no.: MDL-57580
CVE identifier: CVE-2017-2578
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
 
Picture of Marina Glancy
MSA-17-0003: PHPMailer vulnerability in no-reply address
 
Description: Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty.
Issue summary: Address the vulnerabilities in recent PHPMailer 5.2.x
Severity/Risk: Serious
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Matteo Scaramuccia
Issue no.: MDL-57531
Workaround: Define $CFG->noreplyaddress and $CFG->supportemail in config.php
CVE identifier: CVE-2016-10045 (PHPMailer)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57531
 
Picture of Marina Glancy
MSA-17-0002: Incorrect sanitation of attributes in forums
 
Description: Forum post author can change too many fields when editing the post
Issue summary: Incorrect sanitation of attributes
Severity/Risk: Minor
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Anshul Jain
Issue no.: MDL-56225
CVE identifier: CVE-2017-2576
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225
 
Picture of Marina Glancy
MSA-17-0001: System file inclusion when adding own preset file in Boost theme
 
Description: It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode.
Issue summary: System file inclusion when adding own preset file (Boost theme)
Severity/Risk: Minor
Versions affected: 3.2
Versions fixed: 3.2.1
Reported by: Frédéric Massart
Issue no.: MDL-56992
Workaround: Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied
CVE identifier: -
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992
 
Picture of Marina Glancy
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.
 
Description: Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages.
Issue summary: When debugging is enabled, error exceptions returned from webservices could contain private data.
Severity/Risk: Serious
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6 and 2.9 to 2.9.8
Versions fixed: 3.1.3, 3.0.7 and 2.9.9
Reported by: Damyon Wiese
Issue no.: MDL-56268
CVE identifier: none (this issue does not qualify for CVE)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56268
 
Picture of Marina Glancy
MSA-16-0025: Capability to view course notes is checked in the wrong context
 
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course
Issue summary: Notes has_capability check not called for correct context
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Andrew Nicols
Issue no.: MDL-51347
CVE identifier: CVE-2016-8644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347
 
Picture of Marina Glancy
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services
 
Description: Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app
Issue summary: Prevent some users to be updated by update_users ws
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Juan Leyva
Issue no.: MDL-56065
CVE identifier: CVE-2016-8643
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56065
 
Picture of Marina Glancy
MSA-16-0023: Question engine allows access to files that should not be available
 
Description: User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access
Issue summary: Question engine allows access to files that I should not be able to view
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Martin Gauk
Issue no.: MDL-53744
CVE identifier: CVE-2016-8642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53744
 
Picture of Marina Glancy
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed
 
Description: Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary: Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and earlier unsupported versions
Versions fixed: 3.1.2, 3.0.6, 2.9.8 and 2.7.16
Reported by: Juan Leyva
Issue no.: MDL-49026
CVE identifier: CVE-2016-7038
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49026
 
Picture of Marina Glancy
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
 
Description: Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary: Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed: 3.1.1, 3.0.5 and 2.9.7
Reported by: Stuart R Mealor
Issue no.: MDL-53431
CVE identifier: CVE-2016-5014
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431