Security Announcements

Picture of Marina Glancy
MSA-15-0017: XSS in quiz statistics report
 
Description: Quiz statistics report did not properly escape student responses and could be used for XSS attack
Issue summary: XSS in quiz statistics report
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Tim Hunt
Issue no.: MDL-49364
CVE identifier: CVE-2015-2273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364
Picture of Marina Glancy
MSA-15-0016: Web services token can be created for user with temporary password
 
Description: Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services.
Issue summary: login/token.php does not check if auth_forcepasswordchange is on for the user
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Juan Leyva
Issue no.: MDL-48691
CVE identifier: CVE-2015-2272
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691
Picture of Marina Glancy
MSA-15-0015: User without proper permission is able to mark the tag as inappropriate
 
Description: Very minor case of not respecting capability, it does not affect majority of sites since this capability is given to authenticated users by default
Issue summary: Capability moodle/tag:flag not observed
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Frédéric Massart
Issue no.: MDL-49084
CVE identifier: CVE-2015-2271
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084
Picture of Marina Glancy
MSA-15-0014: Potential information disclosure for the inaccessible courses
 
Description: For the custom themes that use blocks regions in the base layout the blocks for inaccessible courses could be displayed together with sensible course-related information. Majority of the themes, including all standard Moodle Themes, are not affected.
Issue summary: Guest user can see course information they should not be able to via require_login
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Sam Hemelryk
Issue no.: MDL-48804
CVE identifier: CVE-2015-2270
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48804
Picture of Marina Glancy
MSA-15-0013: Block title not properly escaped and may cause HTML injection
 
Description: It is possible to create HTML injection through blocks with configurable titles, however this could only be exploited by users who are already marked as XSS-trusted
Issue summary: Block title not properly escaped and may cause HTML injection
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Gjoko Krstic
Issue no.: MDL-49144
CVE identifier: CVE-2015-2269
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49144
Picture of Marina Glancy
MSA-15-0012: ReDoS Possible with Convert links to URLs filter
 
Description: Not optimal regular expression in the filter could be exploited to create extra server load or make particular page unavailable
Issue summary: ReDoS Possible with Convert links to URLs filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Rob
Issue no.: MDL-38466
Workaround: Disable links to URLs filter
CVE identifier: CVE-2015-2268
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38466
Picture of Marina Glancy
MSA-15-0011: Authentication in mdeploy can be bypassed
 
Description: Theoretically possible to extract files anywhere on the system where the web server has write access. Although it is quite difficult to exploit since attacking user must know details about the system and already have significant permissions on the site.
Issue summary: Authentication in mdeploy can be bypassed
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Frédéric Massart
Issue no.: MDL-49087
Workaround: Delete the file mdeploy.php or prevent access to it in the web server config
CVE identifier: CVE-2015-2267
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087
Picture of Marina Glancy
MSA-15-0010: Personal contacts and number of unread messages can be revealed
 
Description: By modifying URL a logged in user can view the list of another user's contacts, number of unread messages and list of their courses.
Issue summary: Personal contacts and number of unread messages can be revealed
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Barry Oosthuizen
Issue no.: MDL-49204
Workaround: Disable messaging on site
CVE identifier: CVE-2015-2266
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49204
Picture of Marina Glancy
MSA-15-0009: Directory Traversal Attack possible through some files serving JS
 
Description: Parameter "file" passed to scripts serving JS was not always cleaned from including "../" in the path, allowing to read files located outside of moodle directory. All OS are affected but especially vulnerable are Windows servers
Issue summary: Preauthenticated Local File Disclosure
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.2, 2.7 to 2.7.4, 2.6 to 2.6.7 and earlier unsupported versions.
The earlies affected version is 2.3 on Windows servers and 2.5 on servers with other OS. It is highly recommended to apply patch manually if you are running unsupported version or otherwise unable to upgrade.
Versions fixed: 2.8.3, 2.7.5 and 2.6.8
Reported by: Emiel Florijn
Issue no.: MDL-48980 and MDL-48990
Workaround: Prevent access to URLs containing "../" or "..\" in web server configuration
CVE identifier: CVE-2015-1493 (also aliased as CVE-2015-0246)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48980
Picture of Marina Glancy
MSA-15-0008: Forced logout through Shibboleth authentication plugin
 
Description: It was possible to forge a request to logout users even when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver configuration
CVE identifier: CVE-2015-0218
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964