Security announcements

Picture of Marina Glancy
MSA-17-0016: Authentication bypass vulnerability with old CAS servers
 

Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major Moodle release. See also https://github.com/Jasig/phpCAS/issues/228


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: ngocdh
CVE identifier: CVE-2017-1000071 (requested by phpCAS)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59456
Tracker issue: MDL-59456 Authentication bypass vulnerability on phpCAS library
 
Picture of Marina Glancy
MSA-17-0015: Course creators are able to change system default settings for courses
 

Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Thomas Jaisson
CVE identifier: CVE-2017-7532
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59409
Tracker issue: MDL-59409 Course creators are able to change system default settings for courses
 
Picture of Marina Glancy
MSA-17-0014: Course overview block reveals activities in hidden courses
 

Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.


Severity/Risk: Minor
Versions affected: 3.3
Versions fixed: 3.3.1
Reported by: Charles Fulton
CVE identifier: CVE-2017-7531
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59304
Tracker issue: MDL-59304 Course overview block reveals activities in hidden courses
 
Picture of Marina Glancy
MSA-17-0006: User fullname disclosure on user preferences page
 

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Andreas Grabs
CVE identifier: CVE-2017-2642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56565
Tracker issue: MDL-56565 User fullname disclosure on user preferences page
 
Picture of Marina Glancy
MSA-17-0013: Missing permission check when adding forum post attachments in Web Services
 

Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2 and 3.1 to 3.1.5
Versions fixed: 3.2.3 and 3.1.6
Reported by: Juan Leyva
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58259
Tracker issue: MDL-58259 Forum post Web Services should check if the user has permissions to add attachments
 
Picture of Marina Glancy
MSA-17-0012: CSRF in number of courses displayed in the course overview block
 

The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed: 3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by: Lukas Schmidt
CVE identifier: CVE-2017-7491
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58740
Tracker issue: MDL-58740 CSRF on my/index.php
 
Picture of Marina Glancy
MSA-17-0011: Searching of blogs possible without capability to do it
 

Capability to search blogs was not checked properly resulting in users being able to search blogs without permission


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed: 3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by: Daniel Kosinski
CVE identifier: CVE-2017-7490
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58670
Tracker issue: MDL-58670 Users can search blogs by typing full url in address bar even with capability moodle/blog:search removed from their role
 
Picture of Marina Glancy
MSA-17-0010: External blog editing takeover
 

User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible


Severity/Risk: Minor
Versions affected: 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions
Versions fixed: 3.2.3, 3.1.6, 3.0.10 and 2.7.20
Reported by: Vuk Ivanovic
CVE identifier: CVE-2017-7489
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58635
Tracker issue: MDL-58635 External blog editing takeover
 
Picture of Marina Glancy
MSA-17-0009: XSS in attachments to evidence of prior learning
 
Description: Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions
Issue summary: XSS in attachments to evidence of prior learning
Severity/Risk: Serious
Versions affected: 3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed: 3.2.2 and 3.1.5
Reported by: wez3
Issue no.: MDL-57597
CVE identifier: CVE-2017-2645
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597
 
Picture of Marina Glancy
MSA-17-0008: XSS in evidence of prior learning
 
Description: Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence
Issue summary: XSS in evidence of prior learning
Severity/Risk: Minor
Versions affected: 3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed: 3.2.2 and 3.1.5
Reported by: Jaymark Pestaño
Issue no.: MDL-57596
CVE identifier: CVE-2017-2644
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57596