Security Announcements

Picture of Marina Glancy
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed
 
Description: Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary: Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk: Minor
Versions affected: 3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and earlier unsupported versions
Versions fixed: 3.1.2, 3.0.6, 2.9.8 and 2.7.16
Reported by: Juan Leyva
Issue no.: MDL-49026
CVE identifier: CVE-2016-7038
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49026
Picture of Marina Glancy
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
 
Description: Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary: Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed: 3.1.1, 3.0.5 and 2.9.7
Reported by: Stuart R Mealor
Issue no.: MDL-53431
CVE identifier: CVE-2016-5014
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431
Picture of Marina Glancy
MSA-16-0020: Text injection in email headers
 
Description: By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary: User firstname/lastname not sanitized when sending emails
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed: 3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by: Pierre Guinoiseau
Issue no.: MDL-55069
Workaround: Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier: CVE-2016-5013
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069
Picture of Marina Glancy
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
 
Description: When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary: Possible to see glossary entries in courses you are not enrolled in
Severity/Risk: Minor
Versions affected: 3.1
Versions fixed: 3.1.1
Reported by: Mary Cooch
Issue no.: MDL-54844
CVE identifier: CVE-2016-5012
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844
Picture of Marina Glancy
MSA-16-0018: CSRF in script marking forum posts as read
 
Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
Picture of Marina Glancy
MSA-16-0017: Course idnumber not protected from teacher restore
 
Description: During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369
Picture of Marina Glancy
MSA-16-0016: User can view badges of other users without proper permissions
 
Description: Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary: Badges code checks viewotherbadges capability in the wrong context
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Tim Hunt
Issue no.: MDL-53589
CVE identifier: CVE-2016-3732
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589
Picture of Marina Glancy
MSA-16-0015: Information disclosure of hidden forum names and sub-names.
 
Description: Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary: Information disclosure of hidden forum names and sub-names.
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Callum Carney
Issue no.: MDL-53696
CVE identifier: CVE-2016-3731
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696
Picture of Marina Glancy
MSA-16-0014
 

This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Picture of Marina Glancy
MSA-16-0013: Users are able to change profile fields that were locked by the administrator
 
Description: User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary: Tricky users can change locked profile fields
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Vadim Dvorovenko
Issue no.: MDL-53954
CVE identifier: CVE-2016-3729
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954