Security announcements

by Marina Glancy - Monday, January 18, 2016, 11:49 AM

Description:	Web services core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info did not check user permission to access hidden courses
Issue summary:	External functions core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info don't check course visibility
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and earlier unsupported versions
Versions fixed:	3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:	Juan Leyva
Issue no.:	MDL-52072
CVE identifier:	CVE-2016-0724
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072

by Marina Glancy - Monday, November 16, 2015, 12:31 PM

Description:	Users can mock URL to delete or submit new responses after the choice module was closed
Issue summary:	Users can delete and submit new responses even when the choice is closed
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Juan Leyva
Issue no.:	MDL-51569
CVE identifier:	CVE-2015-5342
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569

by Marina Glancy - Monday, November 16, 2015, 12:28 PM

Description:	Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction
Issue summary:	Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Juan Leyva
Issue no.:	MDL-50837
CVE identifier:	CVE-2015-5341
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837

by Marina Glancy - Monday, November 16, 2015, 12:27 PM

Description:	Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges
Issue summary:	Capability moodle/badges:viewbadges is not respected
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Marina Glancy
Issue no.:	MDL-51684
CVE identifier:	CVE-2015-5340
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684

by Marina Glancy - Monday, November 16, 2015, 12:25 PM

Description:	Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site
Issue summary:	core_enrol_get_enrolled_users returns all participants even with separate groups
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Daniel Palou
Issue no.:	MDL-51861
CVE identifier:	CVE-2015-5339
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861

by Marina Glancy - Monday, November 16, 2015, 12:22 PM

Description:	Password-protected lesson modules are subject to CSRF vulnerability
Issue summary:	CSRF in lesson login form
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Ankit Agarwal
Issue no.:	MDL-48109
CVE identifier:	CVE-2015-5338
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109

by Marina Glancy - Monday, November 16, 2015, 12:21 PM

Description:	XSS vulnerability caused by Flowplayer flash video player has been addressed
Issue summary:	Flowplayer Reflected XSS
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Andrew Nicols
Issue no.:	MDL-48085
Workaround:	Use HTML5 version of the player in media filter settings
CVE identifier:	CVE-2015-5337
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085

by Marina Glancy - Monday, November 16, 2015, 12:20 PM

Description:	Standard survey module is vulnerable to XSS attack by students who fill the survey
Issue summary:	Student XSS in survey
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Hugh Davenport
Issue no.:	MDL-49940
CVE identifier:	CVE-2015-5336
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940

by Marina Glancy - Monday, November 16, 2015, 12:18 PM

Description:	Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub
Issue summary:	It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Andrew Davis
Issue no.:	MDL-51091
CVE identifier:	CVE-2015-5335
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091

by Marina Glancy - Monday, November 16, 2015, 12:15 PM

Description:	If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area
Issue summary:	Guests can exploit atto draft to store content
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.2 and 2.8 to 2.8.8
Versions fixed:	2.9.3 and 2.8.9
Reported by:	Frédéric Massart
Issue no.:	MDL-51000
Workaround:	Disable guest access until the fix is applied
CVE identifier:	CVE-2015-5332
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000