Security announcements

MSA-20-0001: Stored XSS in message conversation overview

by Michael Hawkins - Monday, January 20, 2020, 1:07 PM

Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.

Severity/Risk:	Serious
Versions affected:	3.8
Versions fixed:	3.8.1
Reported by:	Cid da Costa
Workaround:	Disable the messaging system until the patch has been applied.
CVE identifier:	CVE-2020-1691
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67637
Tracker issue:	MDL-67637 Stored XSS in message conversation overview

MSA-19-0029: Reflected XSS possible from some fatal error messages

by Michael Hawkins - Monday, November 18, 2019, 1:35 PM

Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.

Severity/Risk:	Serious
Versions affected:	3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:	3.7.3, 3.6.7 and 3.5.9
Reported by:	Yuriy Dyachenko
CVE identifier:	CVE-2019-14884
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66161
Tracker issue:	MDL-66161 Reflected XSS possible from some fatal error messages

MSA-19-0028: Email media URL tokens were not checking for user status

by Michael Hawkins - Monday, November 18, 2019, 1:33 PM

Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.2 and 3.6 to 3.6.6
Versions fixed:	3.7.3 and 3.6.7
Reported by:	Juan Leyva
CVE identifier:	CVE-2019-14883
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66377
Tracker issue:	MDL-66377 Email media URL tokens were not checking for user status

MSA-19-0027: Open redirect in Lesson edit page

by Michael Hawkins - Monday, November 18, 2019, 1:20 PM

An open redirect existed in the Lesson edit page.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:	3.7.3, 3.6.7 and 3.5.9
Reported by:	Paul Holden
CVE identifier:	CVE-2019-14882
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66228
Tracker issue:	MDL-66228 Open redirect in Lesson edit page

MSA-19-0026: Blind XSS reflected in some locations where user email is displayed

by Michael Hawkins - Monday, November 18, 2019, 1:19 PM

User emails required additional sanitizing to prevent blind XSS risk on some pages.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.2
Versions fixed:	3.7.3
Reported by:	Yuri Zwaig
CVE identifier:	CVE-2019-14881
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762
Tracker issue:	MDL-66762 Blind XSS reflected in some locations where user email is displayed

MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise

by Michael Hawkins - Monday, November 18, 2019, 1:17 PM

OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.

Severity/Risk:	Serious
Versions affected:	3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:	3.7.3, 3.6.7 and 3.5.9
Reported by:	CeDiS Team
Workaround:	Disable login via OAuth 2 providers that may be affected, until the patch is applied.
CVE identifier:	CVE-2019-14880
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66598
Tracker issue:	MDL-66598 Add additional verification for some OAuth 2 logins to prevent account compromise

MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

by Michael Hawkins - Monday, November 18, 2019, 1:15 PM

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:	3.7.3, 3.6.7 and 3.5.9
Reported by:	Yusuf Yilmaz, Mick Cassell
CVE identifier:	CVE-2019-14879
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257
Tracker issue:	MDL-66257 Assigned Role in Cohort did not un-assign on removal

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins - Monday, September 16, 2019, 4:34 PM

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	John Couzins
Workaround:	Set a different subscription mode (eg optional or auto) on forums until the patch is applied.
CVE identifier:	CVE-2019-14831
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55451
Tracker issue:	MDL-55451 Forum subscribe link contained an open redirect if forced subscription mode was enabled

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins - Monday, September 16, 2019, 4:27 PM

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").

Severity/Risk:	Serious
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Frederik Schou Schmidt
Workaround:	Configure the "Forced URL scheme" (forcedurlscheme) option in site administration to either the app's custom URL scheme, or "moodlemobile" for sites using the standard Moodle app. Alternative workaround options include disabling mobile service (enablemobilewebservice), or changing the mobile app login method (typeoflogin) to "via the app" if possible (instead of via SSO plugin) until the patch is applied.
CVE identifier:	CVE-2019-14830
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501
Tracker issue:	MDL-66501 Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

by Michael Hawkins - Monday, September 16, 2019, 4:24 PM

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.

Severity/Risk:	Minor
Versions affected:	3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:	3.7.2, 3.6.6 and 3.5.8
Reported by:	Andrew Nicols
CVE identifier:	CVE-2019-14829
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66187
Tracker issue:	MDL-66187 Activity :addinstance capabilities were not respected when creating a course in single activity format