Security Announcements

Picture of Marina Glancy
MSA-15-0009: Directory Traversal Attack possible through some files serving JS
 
Description: Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers
Issue summary: Preauthenticated Local File Disclosure
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier unsupported versions.
The earlies affected version is 2.3 on Windows servers and 2.5 on servers with other OS. It is highly recommended to apply patch manually if you are running unsupported version or otherwise unable to upgrade.
Versions fixed: 2.8.3, 2.7.5 and 2.6.8
Reported by: Emiel Florijn
Issue no.: MDL-48980 and MDL-48990
Workaround: Prevent access to URLs containing "../" or "..\" in web server configuration
CVE identifier: CVE-2015-1493 (also aliased as CVE-2015-0246)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980
Picture of Marina Glancy
MSA-15-0008: Forced logout through Shibboleth authentication plugin
 
Description: It was possible to forge a request to logout users even when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver configuration
CVE identifier: CVE-2015-0218
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
Picture of Marina Glancy
MSA-15-0007: ReDoS possible in the multimedia filter
 
Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
Picture of Marina Glancy
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
 
Description: Users with capability to grade in Lesson module were not reported as users with XSS risk but their feedback was displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
Picture of Marina Glancy
MSA-15-0005: Insufficient access check in calendar functions in web-services
 
Description: Through web-services it was possible to get information about calendar events which user did not have enough permissions to see
Issue summary: calendar/externallib.php lacks self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
Picture of Marina Glancy
MSA-15-0004: Information leak through messaging functions in web-services
 
Description: Through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site
Issue summary: Messages external functions doesn't check if messaging is enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related functions
CVE identifier: CVE-2015-0214
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
Picture of Marina Glancy
MSA-15-0003: CSRF possible in Glossary module
 
Description: Two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
Picture of Marina Glancy
MSA-15-0002: XSS vulnerability in course request pending approval page
 
Description: Course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack
Issue summary: XSS in course request pending approval page (Privilege Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted users
CVE identifier: CVE-2015-0212
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
Picture of Marina Glancy
MSA-15-0001: Insufficient access check in LTI module
 
Description: Absence of capability check in AJAX backend script could allow any enrolled user to search the list of registered tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
Picture of Marina Glancy
MSA-14-0049: Possible to print arbitrary message to user by modifying URL
 
Description: Session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string
Issue summary: mod/lti/return.php allows attacker to print arbitrary message
Severity/Risk: Minor
Versions affected: 2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed: 2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by: Petr Skoda
Issue no.: MDL-47927
CVE identifier: -
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927