| Description: | It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode. |
| Issue summary: | System file inclusion when adding own preset file (Boost theme) |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 |
| Versions fixed: | 3.2.1 |
| Reported by: | Frédéric Massart |
| Issue no.: | MDL-56992 |
| Workaround: | Define $CFG->debugdisplay=0; and $CFG->debug=0; in config.php until the fix is applied |
| CVE identifier: | - |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56992 |
Security announcements
MSA-16-0026: When debugging is enabled, error exceptions returned from webservices could contain private data.
| Description: | Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages. |
| Issue summary: | When debugging is enabled, error exceptions returned from webservices could contain private data. |
| Severity/Risk: | Serious |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6 and 2.9 to 2.9.8 |
| Versions fixed: | 3.1.3, 3.0.7 and 2.9.9 |
| Reported by: | Damyon Wiese |
| Issue no.: | MDL-56268 |
| CVE identifier: | none (this issue does not qualify for CVE) |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56268 |
MSA-16-0025: Capability to view course notes is checked in the wrong context
| Description: | Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course |
| Issue summary: | Notes has_capability check not called for correct context |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions |
| Versions fixed: | 3.1.3, 3.0.7, 2.9.9 and 2.7.17 |
| Reported by: | Andrew Nicols |
| Issue no.: | MDL-51347 |
| CVE identifier: | CVE-2016-8644 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51347 |
MSA-16-0024: Non-admin site managers may accidentally edit admins via web services
| Description: | Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app |
| Issue summary: | Prevent some users to be updated by update_users ws |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions |
| Versions fixed: | 3.1.3, 3.0.7, 2.9.9 and 2.7.17 |
| Reported by: | Juan Leyva |
| Issue no.: | MDL-56065 |
| CVE identifier: | CVE-2016-8643 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56065 |
MSA-16-0023: Question engine allows access to files that should not be available
| Description: | User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access |
| Issue summary: | Question engine allows access to files that I should not be able to view |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to 2.7.16 and earlier unsupported versions |
| Versions fixed: | 3.1.3, 3.0.7, 2.9.9 and 2.7.17 |
| Reported by: | Martin Gauk |
| Issue no.: | MDL-53744 |
| CVE identifier: | CVE-2016-8642 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53744 |
MSA-16-0022: Web service tokens should be invalidated when the user password is changed or forced to be changed
| Description: | Access to mobile app using the old web service token should be revoked if the user changes the password |
| Issue summary: | Users tokens should be invalidated when the user password is changed (or forced to) |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and earlier unsupported versions |
| Versions fixed: | 3.1.2, 3.0.6, 2.9.8 and 2.7.16 |
| Reported by: | Juan Leyva |
| Issue no.: | MDL-49026 |
| CVE identifier: | CVE-2016-7038 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49026 |
MSA-16-0021: Unenrolled user still receives event monitor notifications even though they can no longer access course
| Description: | Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access. |
| Issue summary: | Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled) |
| Severity/Risk: | Minor |
| Versions affected: | 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12 |
| Versions fixed: | 3.1.1, 3.0.5 and 2.9.7 |
| Reported by: | Stuart R Mealor |
| Issue no.: | MDL-53431 |
| CVE identifier: | CVE-2016-5014 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431 |
MSA-16-0020: Text injection in email headers
| Description: | By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker. |
| Issue summary: | User firstname/lastname not sanitized when sending emails |
| Severity/Risk: | Minor |
| Versions affected: | 3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions |
| Versions fixed: | 3.1.1, 3.0.5, 2.9.7 and 2.7.15 |
| Reported by: | Pierre Guinoiseau |
| Issue no.: | MDL-55069 |
| Workaround: | Temporary prohibit users from editing their first and last names until the fix is applied |
| CVE identifier: | CVE-2016-5013 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069 |
MSA-16-0019: Glossary search displays entries without checking user permissions to view them
| Description: | When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access |
| Issue summary: | Possible to see glossary entries in courses you are not enrolled in |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 |
| Versions fixed: | 3.1.1 |
| Reported by: | Mary Cooch |
| Issue no.: | MDL-54844 |
| CVE identifier: | CVE-2016-5012 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844 |
MSA-16-0018: CSRF in script marking forum posts as read
| Description: | CSRF possible in the URL that marks forum posts as read |
| Issue summary: | Forum markposts.php missing sesskey check |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions |
| Versions fixed: | 3.0.4, 2.9.6, 2.8.12 and 2.7.14 |
| Reported by: | Andrew Nicols |
| Issue no.: | MDL-53755 |
| CVE identifier: | CVE-2016-3734 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755 |