Security announcements

MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution

by Michael Hawkins - Monday, September 17, 2018, 12:10 PM

When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.

Severity/Risk:	Serious
Versions affected:	3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions
Versions fixed:	3.5.2, 3.4.5, 3.3.8 and 3.1.14
Reported by:	Johannes Moritz
CVE identifier:	CVE-2018-14630
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
Tracker issue:	MDL-62880 Moodle XML import of ddwtos could lead to intentional remote code execution

MSA-18-0016: Quiz question bank import preview could execute JavaScript

by Michael Hawkins - Monday, July 16, 2018, 3:18 PM

When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.

Severity/Risk:	Minor
Versions affected:	3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions
Versions fixed:	3.5.1, 3.4.4, 3.3.7, 3.1.13
Reported by:	Les Bell
CVE identifier:	CVE-2018-10891
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62820
Tracker issue:	MDL-62820 Quiz question bank import preview could execute JavaScript

MSA-18-0015: Web service core_course_get_categories may return invisible categories

by Michael Hawkins - Monday, July 16, 2018, 3:15 PM

It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. Note this only affects cases where a user has access to manage categories, but does not also have permission to view hidden categories.

Severity/Risk:	Minor
Versions affected:	3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions
Versions fixed:	3.5.1, 3.4.4, 3.3.7, 3.1.13
Reported by:	Marina Glancy
CVE identifier:	CVE-2018-10890
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62790
Tracker issue:	MDL-62790 core_course_get_categories may return invisible categories

MSA-18-0014: Privacy data exports include log data

by Michael Hawkins - Monday, July 16, 2018, 3:13 PM

No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. Note this may be a serious privacy consideration for sites processing data exports.

Severity/Risk:	Minor
Versions affected:	3.5, 3.4.3, 3.3 to 3.3.6
Versions fixed:	3.5.1, 3.4.4, 3.3.7
Reported by:	Ralf Hilgenstock
CVE identifier:	CVE-2018-10889
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62616
Tracker issue:	MDL-62616 Privacy data exports include log data

MSA-18-0012: Portfolio script allows instantiation of class chosen by user

by Marina Glancy - Friday, May 25, 2018, 1:57 PM

Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack

Severity/Risk:	Serious
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Brendan Cox
Workaround:	Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier:	CVE-2018-1137
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62233
Tracker issue:	MDL-62233 Portfolio script allows instantiation of class chosen by user

MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access

by Marina Glancy - Friday, May 25, 2018, 1:56 PM

Site policies agreement is not checked for logged in users who browse front page and activities on it

Severity/Risk:	Minor
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Marina Glancy
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61996
Tracker issue:	MDL-61996 User who did not agree to the site policies can see the site homepage as if they had full site access

MSA-18-0010: User can shift a block from Dashboard to any page

by Marina Glancy - Friday, May 25, 2018, 1:54 PM

Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.

Severity/Risk:	Serious
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Brendan Cox
Workaround:	Prohibit capability 'moodle/my:manageblocks' from Authenticated user role until the fix is applied
CVE identifier:	CVE-2018-1136
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62206
Tracker issue:	MDL-62206 User can shift a block from Dashboard to any page

MSA-18-0009: Portfolio forum caller class allows a user to download any file

by Marina Glancy - Friday, May 25, 2018, 1:53 PM

Students who posted on forum and exported the post to portfolios can download any stored Moodle file by changing download URL

Severity/Risk:	Minor
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Brendan Cox
Workaround:	Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier:	CVE-2018-1135
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62232
Tracker issue:	MDL-62232 Portfolio forum caller class allows a user to download any file

MSA-18-0008: Users can download any file via portfolio assignment caller class

by Marina Glancy - Friday, May 25, 2018, 1:53 PM

Students who submitted assignments and exported it to portfolios can download any stored Moodle file by changing download URL

Severity/Risk:	Minor
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Brendan Cox
Workaround:	Disable portfolios until the fix is applied. Portfolios are disabled by default in Moodle
CVE identifier:	CVE-2018-1134
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62210
Tracker issue:	MDL-62210 Users can download any file via portfolio assignment caller class

MSA-18-0007: Calculated question type allows remote code execution by Question authors

by Marina Glancy - Friday, May 25, 2018, 1:51 PM

Teacher creating Calculated question can intentionally cause remote code execution on server

Severity/Risk:	Serious
Versions affected:	3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:	3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:	Robin Peraglie
CVE identifier:	CVE-2018-1133
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62275
Tracker issue:	MDL-62275, MDL-62469 Calculated question type allows remote code execution by Question authors