Security announcements

MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

by Michael Hawkins - Monday, November 18, 2019, 1:15 PM

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:	3.7.3, 3.6.7 and 3.5.9
Reported by:	Yusuf Yilmaz, Mick Cassell
CVE identifier:	CVE-2019-14879
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257
Tracker issue:	MDL-66257 Assigned Role in Cohort did not un-assign on removal

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins - Monday, September 16, 2019, 4:34 PM

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	John Couzins
Workaround:	Set a different subscription mode (eg optional or auto) on forums until the patch is applied.
CVE identifier:	CVE-2019-14831
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55451
Tracker issue:	MDL-55451 Forum subscribe link contained an open redirect if forced subscription mode was enabled

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins - Monday, September 16, 2019, 4:27 PM

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

Severity/Risk:	Serious
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Frederik Schou Schmidt
Workaround:	Configure the "Forced URL scheme" (forcedurlscheme) option in site administration to either the app's custom URL scheme, or "moodlemobile" for sites using the standard Moodle app. Alternative workaround options include disabling mobile service (enablemobilewebservice), or changing the mobile app login method (typeoflogin) to "via the app" if possible (instead of via SSO plugin) until the patch is applied.
CVE identifier:	CVE-2019-14830
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501
Tracker issue:	MDL-66501 Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

by Michael Hawkins - Monday, September 16, 2019, 4:24 PM

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Andrew Nicols
CVE identifier:	CVE-2019-14829
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66187
Tracker issue:	MDL-66187 Activity :addinstance capabilities were not respected when creating a course in single activity format

MSA-19-0020: Python Machine Learning dependency versions bumped

by Michael Hawkins - Monday, September 16, 2019, 4:15 PM

The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	David Monllaó
CVE identifier:	N/A
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66069
Tracker issue:	MDL-66069 Python Machine Learning dependency versions bumped

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins - Monday, September 16, 2019, 4:09 PM

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Andrew Nicols
CVE identifier:	CVE-2019-14828
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66181
Tracker issue:	MDL-66181 Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

by Michael Hawkins - Monday, September 16, 2019, 4:06 PM

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.

Severity/Risk:	Serious
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Sam Hemelryk, Andrew Nicols
CVE identifier:	CVE-2019-14827
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284
Tracker issue:	MDL-62284 JavaScript injection possible in some Mustache templates via recursive rendering from contexts

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

by Michael Hawkins - Tuesday, July 16, 2019, 11:57 AM

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).

Severity/Risk:	Minor
Versions affected:	3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:	3.7.1, 3.6.5 and 3.5.7
Reported by:	Dan Marsden
CVE identifier:	CVE-2018-17057
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64794
Tracker issue:	MDL-64794 Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

MSA-19-0016: Assignment group overrides did not observe separate groups mode

by Michael Hawkins - Tuesday, July 16, 2019, 11:52 AM

Teachers in an assignment group could modify group overrides for other groups in the same assignment.

Severity/Risk:	Minor
Versions affected:	3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:	3.7.1, 3.6.5 and 3.5.7
Reported by:	David Monllaó
CVE identifier:	CVE-2019-10189
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61114
Tracker issue:	MDL-61114 Assignment group overrides did not observe separate groups mode

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

by Michael Hawkins - Tuesday, July 16, 2019, 11:49 AM

Teachers in a quiz group could modify group overrides for other groups in the same quiz.

Severity/Risk:	Minor
Versions affected:	3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:	3.7.1, 3.6.5 and 3.5.7
Reported by:	Charl Nel
CVE identifier:	CVE-2019-10188
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34411
Tracker issue:	MDL-34411 Quiz group overrides did not observe groups membership or accessallgroups