Security announcements

Picture of Marina Glancy
MSA-17-0009: XSS in attachments to evidence of prior learning
 
Description: Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions
Issue summary: XSS in attachments to evidence of prior learning
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed: 3.2.2 and 3.1.5
Reported by: wez3
Issue no.: MDL-57597
CVE identifier: CVE-2017-2645
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597
 
Picture of Marina Glancy
MSA-17-0008: XSS in evidence of prior learning
 
Description: Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence
Issue summary: XSS in evidence of prior learning
Severity/Risk: Minor
Versions affected: 3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed: 3.2.2 and 3.1.5
Reported by: Jaymark Pestaño
Issue no.: MDL-57596
CVE identifier: CVE-2017-2644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57596
 
Picture of Marina Glancy
MSA-17-0007: Global search displays user names for unauthenticated users
 
Description: Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed)
Issue summary: Global search display user names, for unauthenticated user search
Severity/Risk: Minor
Versions affected: 3.2 to 3.2.1
Versions fixed: 3.2.2
Reported by: Nadav Kavalerchik
Issue no.: MDL-56526
CVE identifier: CVE-2017-2643
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56526
 
Picture of Marina Glancy
MSA-17-0005: SQL injection via user preferences
 
Description: PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
Issue summary: Remote Code Execution @ 3.2.1
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
Versions fixed: 3.2.2, 3.1.5, 3.0.9 and 2.7.19
Reported by: Netanel Rubin
Issue no.: MDL-58010
CVE identifier: CVE-2017-2641
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010
 
Picture of Marina Glancy
MSA-17-0004: XSS in assignment submission page
 
Description: HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary: XSS in assignment submission page
Severity/Risk: Minor
Versions affected: 3.2 and 3.1 to 3.1.3
Versions fixed: 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 as a precaution)
Reported by: Ago Luberg and Wael AbuSeada
Issue no.: MDL-57580
CVE identifier: CVE-2017-2578
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57580
 
Picture of Marina Glancy
MSA-17-0003: PHPMailer vulnerability in no-reply address
 
Description: Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty.
Issue summary: Address the vulnerabilities in recent PHPMailer 5.2.x
Severity/Risk: Serious
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Matteo Scaramuccia
Issue no.: MDL-57531
Workaround: Define $CFG->noreplyaddress and $CFG->supportemail in config.php
CVE identifier: CVE-2016-10045 (PHPMailer)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57531
 
Picture of Marina Glancy
MSA-17-0002: Incorrect sanitation of attributes in forums
 
Description: Forum post author can change too many fields when editing the post
Issue summary: Incorrect sanitation of attributes
Severity/Risk: Minor
Versions affected: 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions
Versions fixed: 3.2.1, 3.1.4, 3.0.8 and 2.7.18
Reported by: Anshul Jain
Issue no.: MDL-56225
CVE identifier: CVE-2017-2576
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56225
 
Picture of Marina Glancy
MSA-17-0001: System file inclusion when adding own preset file in Boost theme
 
Description: It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode.
Issue summary: System file inclusion when adding own preset file (Boost theme)
Severity/Risk: Minor
Versions affected: 3.2
Versions fixed: 3.2.1
Reported by: Frédéric Massart
Issue no.: MDL-56992
Workaround: Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied
CVE identifier: -
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992
 
Picture of Marina Glancy
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.
 
Description: Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages.
Issue summary: When debugging is enabled, error exceptions returned from webservices could contain private data.
Severity/Risk: Serious
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6 and 2.9 to 2.9.8
Versions fixed: 3.1.3, 3.0.7 and 2.9.9
Reported by: Damyon Wiese
Issue no.: MDL-56268
CVE identifier: none (this issue does not qualify for CVE)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56268
 
Picture of Marina Glancy
MSA-16-0025: Capability to view course notes is checked in the wrong context
 
Description: Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course
Issue summary: Notes has_capability check not called for correct context
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions
Versions fixed: 3.1.3, 3.0.7, 2.9.9 and 2.7.17
Reported by: Andrew Nicols
Issue no.: MDL-51347
CVE identifier: CVE-2016-8644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347