Security announcements

Picture of Marina Glancy
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site
 

If a user account using OAuth2 authentication method was once confirmed but later suspended, user could still login to the site


Severity/Risk: Minor
Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4
Versions fixed: 3.4.2 and 3.3.5
Reported by: Helen Foster
CVE identifier: CVE-2018-1082
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60101
Tracker issue: MDL-60101 Suspended users with OAuth 2 authentication method can still log in to the site
 
Picture of Marina Glancy
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script
 

Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions
Versions fixed: 3.4.2, 3.3.5, 3.2.8 and 3.1.11
Reported by: Brendan Cox
CVE identifier: CVE-2018-1081
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
Tracker issue: MDL-61392 Unauthenticated users can trigger custom messages to admin via paypal enrol script
 
Picture of Marina Glancy
MSA-18-0004: XSS in calendar event name
 

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed: 3.3.4, 3.2.7 and 3.1.10
Reported by: Rubens Brandao
CVE identifier: CVE-2018-1045
Changes (3.3): https://git.moodle.org/gw?p=moodle.git&a=search&h=MOODLE_33_STABLE&st=commit&s=MDL-60235
Tracker issue: MDL-60235 XSS in event name in block_calendar
 
Picture of Marina Glancy
MSA-18-0003: Privilege escalation in quiz web services
 

Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app


Severity/Risk: Minor
Versions affected: 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6 and 3.1 to 3.1.9
Versions fixed: 3.4.1, 3.3.4, 3.2.7 and 3.1.10
Reported by: Chirine Nassar
CVE identifier: CVE-2018-1044
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60908
Tracker issue: MDL-60908 Students are able to see quiz results in Mobile app although it is prohibited in the settings
 
Picture of Marina Glancy
MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames
 

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.


Severity/Risk: Minor
Versions affected: 3.4, 3.3 to 3.3.3 and 3.2 to 3.2.6
Versions fixed: 3.4.1, 3.3.4 and 3.2.7
Reported by: Jordan Tomkinson
CVE identifier: CVE-2018-1043
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61143
Tracker issue: MDL-61143 curlsecurityblockedhosts can be bypassed with multiple A record hostnames
 
Picture of Marina Glancy
MSA-18-0001: Server Side Request Forgery in the filepicker
 

By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server


Severity/Risk: Serious
Versions affected: 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed: 3.4.1, 3.3.4, 3.2.7 and 3.1.10
Reported by: Thomas DeVoss
CVE identifier: CVE-2018-1042
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61131
Tracker issue: MDL-61131 Server Side Request Forgery in /repository/repository_ajax.php (Critical for Cloud Hosted Moodle Instances)
 
Picture of Marina Glancy
MSA-17-0021: Students can find out email addresses of other students in the same course
 

Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other students


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versions
Versions fixed: 3.4, 3.3.3, 3.2.6 and 3.1.9
Reported by: Tim Schroeder
Workaround: Prohibit capability 'moodle/course:viewparticipants' (View participants) for Student role until Moodle is upgraded
CVE identifier: CVE-2017-15110
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60550
Tracker issue: MDL-60550 Students can find out email addresses of other students who set theirs to "hidden"
 
Picture of Marina Glancy
MSA-17-0020: Admins may not know that exposing vendor directory is a security risk
 

Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check.

Manual action may be required from the site admin to remove composer-generated directories or prevent access to them from the web.

Severity/Risk: Serious
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: David Mudrák
CVE identifier: CVE-2017-9841 reported against PHPUnit project, it is relevant to the version used in Moodle development
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59969
Tracker issue: MDL-59969 Admins may not know that exposing vendor directory is a security risk
 
Picture of Marina Glancy
MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course
 

This fix may affect plugins using this API function, there is no exploit in standard Moodle


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: Ankit Agarwal
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58953
Tracker issue: MDL-58953 user_can_view_profile() incorrectly assumes $course as $sharedcourse
 
Picture of Marina Glancy
MSA-17-0018: Course reports are not respecting group settings in courses
 

Number of course reports allowed teachers to view details about users in the groups they can't access


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: Juan Leyva
CVE identifier: CVE-2017-12157
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58762
Tracker issue: MDL-58762 Course reports are not respecting group settings in courses