Security announcements

MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions

by Michael Hawkins -

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed: 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by: Guillermo Leon Alvarez Salamanca
Workaround: Disable the "Email to Private files" message handler until the fix is applied. This is disabled by default in Moodle.
CVE identifier: CVE-2019-10134
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61738
Tracker issue: MDL-61738 Private files uploaded via incoming mail processing could bypass quota restrictions
Discuss this topic  (0 replies so far)

MSA-19-0011: Open redirect in upload cohorts page

by Michael Hawkins -

The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed: 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by: Lindon Wass
CVE identifier: CVE-2019-10133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64708
Tracker issue: MDL-64708 Open redirect in upload cohorts page
Discuss this topic  (0 replies so far)

MSA-19-0010: All messaging conversations could be viewed

by Michael Hawkins -

A web service fetching messages was not restricted to the current user's conversations.


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.3
Versions fixed: 3.7, 3.6.4
Reported by: Mazen Gamal
Workaround: Disable the messaging system until the fix is applied.
CVE identifier: CVE-2019-10154
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65365
Tracker issue: MDL-65365 All messaging conversations could be viewed

(Edited 11 June 2019 to update the CVE identifier.)

Discuss this topic  (0 replies so far)

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

by Michael Hawkins -

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2
Versions fixed: 3.6.3
Reported by: Andrew Nicols
CVE identifier: CVE-2019-3852
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410
Tracker issue: MDL-64410 get_with_capability_join/get_users_by_capability not aware of context freezing
Discuss this topic  (0 replies so far)

MSA-19-0008: Secure layout contained an insecure link in Boost theme

by Michael Hawkins -

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed: 3.6.3 and 3.5.5
Reported by: Martin von Löwis and Luca Bösch
CVE identifier: CVE-2019-3851
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706
Tracker issue: MDL-64706 Secure layout contained an insecure link in Boost theme
Discuss this topic  (0 replies so far)

MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly

by Michael Hawkins -

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by: Steeven George
CVE identifier: CVE-2019-3850
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64651
Tracker issue: MDL-64651 Stored HTML in assignment submission comments allowed links to be opened directly
Discuss this topic  (0 replies so far)

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

by Michael Hawkins -

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5 and 3.4.8
Reported by: Brendan Cox
CVE identifier: CVE-2019-3849
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702
Tracker issue: MDL-62702 Users could elevate their role when accessing the LTI tool on a provider site
Discuss this topic  (0 replies so far)

MSA-19-0005: Logged in users could view all calendar events

by Michael Hawkins -

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7
Versions fixed: 3.6.3, 3.5.5 and 3.4.8
Reported by: Juan Leyva
CVE identifier: CVE-2019-3848
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64830
Tracker issue: MDL-64830 Logged in users could view all calendar events
Discuss this topic  (0 replies so far)

MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins -

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this fix removes access to other users' Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented, which allowed the risk to be removed while retaining Dashboard access. If you require access to Dashboards through the login-as feature, we recommend upgrading to Moodle 3.5 or above (noting that 3.1 and 3.4 will also no longer receive security updates after their next releases in May 2019).


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by: Daniel Thatcher
Workaround: Use incognito/private browsing mode when using the "Log in as" functionality, then close the private window before logging back in as your own user, to minimise session or cookie related risks. Alternatively, avoid visiting the Dashboard when logged in as other users until patch is applied.
CVE identifier: CVE-2019-3847
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63786
Tracker issue: MDL-63786 "Log in as" functionality exposed to JavaScript risk on other users' Dashboards
Discuss this topic  (0 replies so far)

MSA-19-0003: User full name is not escaped in the un-linked userpix page

by Michael Hawkins -

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed: 3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reported by: Fariskhi Vidyan
CVE identifier: CVE-2019-3810
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372
Tracker issue: MDL-64372 User full name is not escaped in the un-linked userpix page
Discuss this topic  (0 replies so far)