Security Announcements

Picture of Marina Glancy
MSA-15-0025: Capability to manage own files is not respected in Web Services
 
Description: Users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using deprecated function in Web Services
Issue summary: Users with the manageownfiles disabled are able to upload private files via Web Services
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Juan Leyva
Issue no.: MDL-49994
CVE identifier: CVE-2015-3181
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994
Picture of Marina Glancy
MSA-15-0024: User with suspended enrolment can see sections in the navigation tree
 
Description: If a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see course structure in the navigation block
Issue summary: User with suspended enrolment can see sections in the navigation tree
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Alex Mitin
Issue no.: MDL-49788
CVE identifier: CVE-2015-3180
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788
Picture of Marina Glancy
MSA-15-0023: Suspended user is able to login when confirming email
 
Description: When self-registration is enabled and user's account was suspended after creating account but before actually confirming it, user is still able to login when confirming email but only once.
Issue summary: Suspended user is able to login when confirming email
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Marina Glancy
Issue no.: MDL-50090
CVE identifier: CVE-2015-3179
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090
Picture of Marina Glancy
MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services
 
Description: If user who is not XSS-trusted attempts to insert the XSS as part of the input text, it will be cleaned when displayed on Moodle website but may be displayed uncleaned in the external application
Issue summary: external_format_text() cleans and formats text incorrectly
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Eloy Lafuente
Issue no.: MDL-49718
CVE identifier: CVE-2015-3178
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718
Picture of Marina Glancy
MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules
 
Description: If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see.
Issue summary: Any authenticated user can subscribe to site wide event monitor rules
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5
Versions fixed: 2.9 and 2.8.6
Reported by: Adrian Greeve
Issue no.: MDL-50039
Workaround: Do not use site-wide rules until your site is upgraded
CVE identifier: CVE-2015-3177
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039
Picture of Marina Glancy
MSA-15-0020: User fullname disclosure through account confirmation link
 
Description: On the sites with enabled self-registration not registered users can retrieve fullname of registered users knowing their usernames
Issue summary: User fullname disclosure through account confirmation link
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Federico Kirschbaum
Issue no.: MDL-50099
Workaround: Even partial patch (removing one line in /login/confirm.php) will also resolve security issue
CVE identifier: CVE-2015-3176
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099
Picture of Marina Glancy
MSA-15-0019: Possible phishing when redirecting to external site using referer header
 
Description: Some error messages in Moodle display button to return to previous page. Redirecting to non-local referer should not be allowed as it can potentially be used for phising.
Issue summary: get_referer() used with redirect() can be insecure
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Dingjie Yang
Issue no.: MDL-49179
CVE identifier: CVE-2015-3175
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179
Picture of Marina Glancy
MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that
 
Description: Leaving gradebook feedback is a trusted action and such capabilities in other modules already have XSS mask, 'mod/quiz:grade' was missing this flag.
Issue summary: Quiz manual-grading is an XSS risk, but does not declare that
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by: Hugh Davenport
Issue no.: MDL-49941
CVE identifier: CVE-2015-3174
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941
Picture of Marina Glancy
MSA-15-0017: XSS in quiz statistics report
 
Description: Quiz statistics report did not properly escape student responses and could be used for XSS attack
Issue summary: XSS in quiz statistics report
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Tim Hunt
Issue no.: MDL-49364
CVE identifier: CVE-2015-2273
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364
Picture of Marina Glancy
MSA-15-0016: Web services token can be created for user with temporary password
 
Description: Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services.
Issue summary: login/token.php does not check if auth_forcepasswordchange is on for the user
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed: 2.8.4, 2.7.6 and 2.6.9
Reported by: Juan Leyva
Issue no.: MDL-48691
CVE identifier: CVE-2015-2272
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691