Security Announcements

Picture of Marina Glancy
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.
 
Description: Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages.
Issue summary: When debugging is enabled, error exceptions returned from webservices could contain private data.
Severity/Risk: Serious
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6 and 2.9 to 2.9.8
Versions fixed: 3.1.3, 3.0.7 and 2.9.9
Reported by: Damyon Wiese
Issue no.: MDL-56268
CVE identifier: none (this issue does not qualify for CVE)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56268
 
Picture of Marina Glancy
MSA-16-0025: Capability to view course notes is checked in the wrong context
 
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course
Issue summary: Notes has_capability check not called for correct context
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Andrew Nicols
Issue no.: MDL-51347
CVE identifier: CVE-2016-8644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347
 
Picture of Marina Glancy
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services
 
Description: Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app
Issue summary: Prevent some users to be updated by update_users ws
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Juan Leyva
Issue no.: MDL-56065
CVE identifier: CVE-2016-8643
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56065
 
Picture of Marina Glancy
MSA-16-0023: Question engine allows access to files that should not be available
 
Description: User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access
Issue summary: Question engine allows access to files that I should not be able to view
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Martin Gauk
Issue no.: MDL-53744
CVE identifier: CVE-2016-8642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53744
 
Picture of Marina Glancy
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed
 
Description: Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary: Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and earlier unsupported versions
Versions fixed: 3.1.2, 3.0.6, 2.9.8 and 2.7.16
Reported by: Juan Leyva
Issue no.: MDL-49026
CVE identifier: CVE-2016-7038
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49026
 
Picture of Marina Glancy
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
 
Description: Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary: Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed: 3.1.1, 3.0.5 and 2.9.7
Reported by: Stuart R Mealor
Issue no.: MDL-53431
CVE identifier: CVE-2016-5014
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431
 
Picture of Marina Glancy
MSA-16-0020: Text injection in email headers
 
Description: By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary: User firstname/lastname not sanitized when sending emails
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed: 3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by: Pierre Guinoiseau
Issue no.: MDL-55069
Workaround: Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier: CVE-2016-5013
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069
 
Picture of Marina Glancy
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
 
Description: When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary: Possible to see glossary entries in courses you are not enrolled in
Severity/Risk: Minor
Versions affected: 3.1
Versions fixed: 3.1.1
Reported by: Mary Cooch
Issue no.: MDL-54844
CVE identifier: CVE-2016-5012
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844
 
Picture of Marina Glancy
MSA-16-0018: CSRF in script marking forum posts as read
 
Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
 
Picture of Marina Glancy
MSA-16-0017: Course idnumber not protected from teacher restore
 
Description: During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369