Security Announcements

Picture of Marina Glancy
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
 
Description: Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary: Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed: 3.1.1, 3.0.5 and 2.9.7
Reported by: Stuart R Mealor
Issue no.: MDL-53431
CVE identifier: CVE-2016-5014
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431
Picture of Marina Glancy
MSA-16-0020: Text injection in email headers
 
Description: By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary: User firstname/lastname not sanitized when sending emails
Severity/Risk: Minor
Versions affected: 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed: 3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by: Pierre Guinoiseau
Issue no.: MDL-55069
Workaround: Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier: CVE-2016-5013
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069
Picture of Marina Glancy
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
 
Description: When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary: Possible to see glossary entries in courses you are not enrolled in
Severity/Risk: Minor
Versions affected: 3.1
Versions fixed: 3.1.1
Reported by: Mary Cooch
Issue no.: MDL-54844
CVE identifier: CVE-2016-5012
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844
Picture of Marina Glancy
MSA-16-0018: CSRF in script marking forum posts as read
 
Description: CSRF possible in the URL that marks forum posts as read
Issue summary: Forum markposts.php missing sesskey check
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Andrew Nicols
Issue no.: MDL-53755
CVE identifier: CVE-2016-3734
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755
Picture of Marina Glancy
MSA-16-0017: Course idnumber not protected from teacher restore
 
Description: During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary: Course idnumber not protected from teacher restore
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Donna Hrynkiw
Issue no.: MDL-51369
CVE identifier: CVE-2016-3733
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369
Picture of Marina Glancy
MSA-16-0016: User can view badges of other users without proper permissions
 
Description: Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary: Badges code checks viewotherbadges capability in the wrong context
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Tim Hunt
Issue no.: MDL-53589
CVE identifier: CVE-2016-3732
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589
Picture of Marina Glancy
MSA-16-0015: Information disclosure of hidden forum names and sub-names.
 
Description: Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary: Information disclosure of hidden forum names and sub-names.
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed: 3.0.4, 2.9.6 and 2.8.12
Reported by: Callum Carney
Issue no.: MDL-53696
CVE identifier: CVE-2016-3731
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696
Picture of Marina Glancy
MSA-16-0014
 

This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Picture of Marina Glancy
MSA-16-0013: Users are able to change profile fields that were locked by the administrator
 
Description: User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary: Tricky users can change locked profile fields
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed: 3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by: Vadim Dvorovenko
Issue no.: MDL-53954
CVE identifier: CVE-2016-3729
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954
Picture of Marina Glancy
MSA-16-0012: External function mod_assign_save_submission does not check due dates
 
Description: Students were able to add assignment submissions after the due date through web service
Issue summary: External function mod_assign_save_submission does not check due dates
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Juan Leyva
Issue no.: MDL-52901
CVE identifier: CVE-2016-2159
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901