Security announcements

by Marina Glancy - Monday, November 16, 2015, 12:14 PM

Description:	Insufficient settings check when messaging another user opens spam possibility
Issue summary:	Users who are not in contact list still can send messages though it is blocked in preferences
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2
Versions fixed:	2.9.3
Reported by:	Pavel Sokolov
Issue no.:	MDL-50426
CVE identifier:	CVE-2015-5331
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426

by Marina Glancy - Monday, September 21, 2015, 9:46 AM

Description:	Capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description
Issue summary:	XSS in grouping description
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Marina Glancy
Issue no.:	MDL-50709
CVE identifier:	CVE-2015-5269
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709

by Marina Glancy - Monday, September 21, 2015, 9:45 AM

Description:	When viewing ratings the group access was not properly checked allowing users from other groups to view ratings
Issue summary:	Rating component does not check separate groups
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Juan Leyva
Issue no.:	MDL-50173
CVE identifier:	CVE-2015-5268
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173

by Marina Glancy - Monday, September 21, 2015, 9:44 AM

Description:	Password recovery token can be guessed because of php randomisation limitations
Issue summary:	Vulnerability in password recovery mechanism
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Vincent Herbulot (@us3r777)
Issue no.:	MDL-50860
CVE identifier:	CVE-2015-5267
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860

by Marina Glancy - Monday, September 21, 2015, 9:43 AM

Description:	On large installations, when sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes
Issue summary:	Meta course sync enroling suspended students as managers and causing large database growth
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Brian Winstead
Issue no.:	MDL-50744
CVE identifier:	CVE-2015-5266
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744

by Marina Glancy - Monday, September 21, 2015, 9:42 AM

Description:	Users can delete files uploaded by other users in wiki without capability to manage files
Issue summary:	Disable free access to the file manager in the wiki via the text editor.
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	John Provasnik
Issue no.:	MDL-48371
CVE identifier:	CVE-2015-5265
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371

by Marina Glancy - Monday, September 21, 2015, 9:38 AM

Description:	Group access is not properly checked when posting to "all participants" in forum
Issue summary:	Teacher without accessallgroups can still post to "all participants" and groups they're not members of
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.7.10
Reported by:	David Scotson
Issue no.:	MDL-50576
CVE identifier:	CVE-2015-5272
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576

by Marina Glancy - Monday, September 21, 2015, 9:36 AM

Description:	Completed and graded lesson activity was not protected against making new attempt to answer some questions
Issue summary:	Students can re-attempt answering questions in the lesson
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Eric Eakin
Issue no.:	MDL-50516
CVE identifier:	CVE-2015-5264
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516

by Marina Glancy - Monday, July 13, 2015, 8:31 AM

Description:	Penetration test discovered possible Javascript injection in SCORM module
Issue summary:	Inadequate JavaScript Handling in SCORM
Severity/Risk:	Minor
Versions affected:	2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed:	2.9.1, 2.8.7 and 2.7.9
Reported by:	Martin Greenaway
Issue no.:	MDL-50614
CVE identifier:	CVE-2015-3275
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50614

by Marina Glancy - Monday, July 13, 2015, 8:29 AM

Description:	Several web services returning user information did not clean text in text custom profile fields
Issue summary:	Custom profile fields (textarea) are not passed through external_format_text when returned by several web services
Severity/Risk:	Minor
Versions affected:	2.9, 2.8 to 2.8.6, 2.7 to 2.7.8 and earlier unsupported versions
Versions fixed:	2.9.1, 2.8.7 and 2.7.9
Reported by:	Marina Glancy
Issue no.:	MDL-50130
CVE identifier:	CVE-2015-3274
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50130