Security announcements

Picture of Marina Glancy
MSA-18-0012: Portfolio script allows instantiation of class chosen by user
 

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Brendan Cox
Workaround: Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier: CVE-2018-1137
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62233
Tracker issue: MDL-62233 Portfolio script allows instantiation of class chosen by user
 
Picture of Marina Glancy
MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access
 

Site policies agreement is not checked for logged in users who browse front page and activities on it


Severity/Risk: Minor
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Marina Glancy
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61996
Tracker issue: MDL-61996 User who did not agree to the site policies can see the site homepage as if they had full site access
 
Picture of Marina Glancy
MSA-18-0010: User can shift a block from Dashboard to any page
 

Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Brendan Cox
Workaround: Prohibit capability 'moodle/my:manageblocks' from Authenticated user role until the fix is applied
CVE identifier: CVE-2018-1136
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62206
Tracker issue: MDL-62206 User can shift a block from Dashboard to any page
 
Picture of Marina Glancy
MSA-18-0009: Portfolio forum caller class allows a user to download any file
 

Students who posted on forum and exported the post to portfolios can download any stored Moodle file by changing download URL


Severity/Risk: Minor
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Brendan Cox
Workaround: Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier: CVE-2018-1135
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62232
Tracker issue: MDL-62232 Portfolio forum caller class allows a user to download any file
 
Picture of Marina Glancy
MSA-18-0008: Users can download any file via portfolio assignment caller class
 

Students who submitted assignments and exported it to portfolios can download any stored Moodle file by changing download URL


Severity/Risk: Minor
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Brendan Cox
Workaround: Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier: CVE-2018-1134
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62210
Tracker issue: MDL-62210 Users can download any file via portfolio assignment caller class
 
Picture of Marina Glancy
MSA-18-0007: Calculated question type allows remote code execution by Question authors
 

Teacher creating Calculated question can intentionally cause remote code execution on server


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed: 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by: Robin Peraglie
CVE identifier: CVE-2018-1133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62275
Tracker issue: MDL-62275, MDL-62469 Calculated question type allows remote code execution by Question authors
 
Picture of Marina Glancy
MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site
 

If a user account using OAuth2 authentication method was once confirmed but later suspended, user could still login to the site


Severity/Risk: Minor
Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4
Versions fixed: 3.4.2 and 3.3.5
Reported by: Helen Foster
CVE identifier: CVE-2018-1082
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60101
Tracker issue: MDL-60101 Suspended users with OAuth 2 authentication method can still log in to the site
 
Picture of Marina Glancy
MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script
 

Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed


Severity/Risk: Serious
Versions affected: 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions
Versions fixed: 3.4.2, 3.3.5, 3.2.8 and 3.1.11
Reported by: Brendan Cox
CVE identifier: CVE-2018-1081
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
Tracker issue: MDL-61392 Unauthenticated users can trigger custom messages to admin via paypal enrol script
 
Picture of Marina Glancy
MSA-18-0004: XSS in calendar event name
 

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed: 3.3.4, 3.2.7 and 3.1.10
Reported by: Rubens Brandao
CVE identifier: CVE-2018-1045
Changes (3.3): https://git.moodle.org/gw?p=moodle.git&a=search&h=MOODLE_33_STABLE&st=commit&s=MDL-60235
Tracker issue: MDL-60235 XSS in event name in block_calendar
 
Picture of Marina Glancy
MSA-18-0003: Privilege escalation in quiz web services
 

Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app


Severity/Risk: Minor
Versions affected: 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6 and 3.1 to 3.1.9
Versions fixed: 3.4.1, 3.3.4, 3.2.7 and 3.1.10
Reported by: Chirine Nassar
CVE identifier: CVE-2018-1044
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60908
Tracker issue: MDL-60908 Students are able to see quiz results in Mobile app although it is prohibited in the settings