Security Announcements

Picture of Marina Glancy
MSA-15-0029: Javascript injection in SCORM module
 
Description: Penetration test discovered possible Javascript injection in SCORM module
Issue summary: Inadequate JavaScript Handling in SCORM
Severity/Risk: Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed: 2.9.1, 2.8.7 and 2.7.9
Reported by: Martin Greenaway
Issue no.: MDL-50614
CVE identifier: CVE-2015-3275
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614
Picture of Marina Glancy
MSA-15-0028: Possible XSS through custom text profile fields in Web Services
 
Description: Several web services returning user information did not clean text in text custom profile fields
Issue summary: Custom profile fields (textarea) are not passed through external_format_text when returned by several web services
Severity/Risk: Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed: 2.9.1, 2.8.7 and 2.7.9
Reported by: Marina Glancy
Issue no.: MDL-50130
CVE identifier: CVE-2015-3274
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130
Picture of Marina Glancy
MSA-15-0027: Capability 'mod/forum:canposttomygroups' is not respected when using 'Post a copy to all groups' in forum
 
Description: Capability 'mod/forum:canposttomygroups' was not respected when using 'Post a copy to all groups' in forum. Capability to post to each individual group was always required.
Issue summary: canposttomygroups capability is not checked in mod/forum/post.php
Severity/Risk: Minor
Versions affected: 2.9
Versions fixed: 2.9.1
Reported by: Juan Leyva
Issue no.: MDL-50220
CVE identifier: CVE-2015-3273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50220
Picture of Marina Glancy
MSA-15-0026: Possible phishing when redirecting to external site using referer header
 
Description: Another case when redirecting to external site was possible in error messages. See also MSA-15-0019 (CVE-2015-3175)
Issue summary: PARAM_LOCALURL is vulnerable to open redirects
Severity/Risk: Minor
Versions affected: 2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed: 2.9.1, 2.8.7 and 2.7.9
Reported by: Totara
Issue no.: MDL-50688
CVE identifier: CVE-2015-3272
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50688
Picture of Marina Glancy
MSA-15-0025: Capability to manage own files is not respected in Web Services
 
Description: Users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using deprecated function in Web Services
Issue summary: Users with the manageownfiles disabled are able to upload private files via Web Services
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Juan Leyva
Issue no.: MDL-49994
CVE identifier: CVE-2015-3181
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994
Picture of Marina Glancy
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree
 
Description: If a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see course structure in the navigation block
Issue summary: User with suspended enrolment can see sections in the navigation tree
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Alex Mitin
Issue no.: MDL-49788
CVE identifier: CVE-2015-3180
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788
Picture of Marina Glancy
MSA-15-0023: Suspended user is able to login when confirming email
 
Description: When self-registration is enabled and user's account was suspended after creating account but before actually confirming it, user is still able to login when confirming email but only once.
Issue summary: Suspended user is able to login when confirming email
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Marina Glancy
Issue no.: MDL-50090
CVE identifier: CVE-2015-3179
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
Picture of Marina Glancy
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services
 
Description: If user who is not XSS-trusted attempts to insert the XSS as part of the input text, it will be cleaned when displayed on Moodle website but may be displayed uncleaned in the external application
Issue summary: external_format_text() cleans and formats text incorrectly
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Eloy Lafuente
Issue no.: MDL-49718
CVE identifier: CVE-2015-3178
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
Picture of Marina Glancy
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules
 
Description: If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see.
Issue summary: Any authenticated user can subscribe to site wide event monitor rules
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5
Versions fixed: 2.9 and 2.8.6
Reported by: Adrian Greeve
Issue no.: MDL-50039
Workaround: Do not use site-wide rules until your site is upgraded
CVE identifier: CVE-2015-3177
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039
Picture of Marina Glancy
MSA-15-0020: User fullname disclosure through account confirmation link
 
Description: On the sites with enabled self-registration not registered users can retrieve fullname of registered users knowing their usernames
Issue summary: User fullname disclosure through account confirmation link
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Federico Kirschbaum
Issue no.: MDL-50099
Workaround: Even partial patch (removing one line in /login/confirm.php) will also resolve security issue
CVE identifier: CVE-2015-3176
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099