Security Announcements

Picture of Marina Glancy
MSA-16-0018: CSRF in script marking forum posts as read
 
Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
Picture of Marina Glancy
MSA-16-0017: Course idnumber not protected from teacher restore
 
Description: During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369
Picture of Marina Glancy
MSA-16-0016: User can view badges of other users without proper permissions
 
Description: Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary: Badges code checks viewotherbadges capability in the wrong context
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Tim Hunt
Issue no.: MDL-53589
CVE identifier: CVE-2016-3732
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589
Picture of Marina Glancy
MSA-16-0015: Information disclosure of hidden forum names and sub-names.
 
Description: Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary: Information disclosure of hidden forum names and sub-names.
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Callum Carney
Issue no.: MDL-53696
CVE identifier: CVE-2016-3731
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696
Picture of Marina Glancy
MSA-16-0014
 

This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Picture of Marina Glancy
MSA-16-0013: Users are able to change profile fields that were locked by the administrator
 
Description: User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary: Tricky users can change locked profile fields
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Vadim Dvorovenko
Issue no.: MDL-53954
CVE identifier: CVE-2016-3729
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954
Picture of Marina Glancy
MSA-16-0012: External function mod_assign_save_submission does not check due dates
 
Description: Students were able to add assignment submissions after the due date through web service
Issue summary: External function mod_assign_save_submission does not check due dates
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Juan Leyva
Issue no.: MDL-52901
CVE identifier: CVE-2016-2159
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901
Picture of Marina Glancy
MSA-16-0011: Add no referrer to links with _blank target attribute
 
Description: Improve security when following external links that were added with _blank target
Issue summary: Add no referrer to links with _blank target attribute
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Hugh Davenport
Issue no.: MDL-52651
CVE identifier: CVE-2016-2190
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
Picture of Marina Glancy
MSA-16-0010: Enumeration of category details possible without authentication
 
Description: Despite force login setting guests could still access course category details
Issue summary: Enumeration of category details possible without authentication
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Krista Koivisto
Issue no.: MDL-52774
CVE identifier: CVE-2016-2158
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
Picture of Marina Glancy
MSA-16-0009: CSRF in Assignment plugin management page
 
Description: CSRF possible on admin page, however exploit unlikely benefit anybody and can easily be reversed
Issue summary: CSRF in Assignment plugin management page
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Paul Holden
Issue no.: MDL-53031
CVE identifier: CVE-2016-2157
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031