Teachers in a quiz group could modify group overrides for other groups in the same quiz.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Charl Nel |
| CVE identifier: | CVE-2019-10188 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34411 |
| Tracker issue: | MDL-34411 Quiz group overrides did not observe groups membership or accessallgroups |
Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Peter Dias |
| CVE identifier: | CVE-2019-10187 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64623 |
| Tracker issue: | MDL-64623 Ability to delete glossary entries that belong to another glossary |
A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Callum Carney |
| CVE identifier: | CVE-2019-10186 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53689 |
| Tracker issue: | MDL-53689 Missing sesskey (CSRF) token in loading/unloading xml files |
The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions |
| Versions fixed: | 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18 |
| Reported by: | Guillermo Leon Alvarez Salamanca |
| Workaround: | Disable the "Email to Private files" message handler until the fix is applied. This is disabled by default in Moodle. |
| CVE identifier: | CVE-2019-10134 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61738 |
| Tracker issue: | MDL-61738 Private files uploaded via incoming mail processing could bypass quota restrictions |
The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions |
| Versions fixed: | 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18 |
| Reported by: | Lindon Wass |
| CVE identifier: | CVE-2019-10133 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64708 |
| Tracker issue: | MDL-64708 Open redirect in upload cohorts page |
A web service fetching messages was not restricted to the current user's conversations.
| Severity/Risk: | Serious |
| Versions affected: | 3.6 to 3.6.3 |
| Versions fixed: | 3.7, 3.6.4 |
| Reported by: | Mazen Gamal |
| Workaround: | Disable the messaging system until the fix is applied. |
| CVE identifier: | CVE-2019-10154 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65365 |
| Tracker issue: | MDL-65365 All messaging conversations could be viewed |
(Edited 11 June 2019 to update the CVE identifier.)
get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.2 |
| Versions fixed: | 3.6.3 |
| Reported by: | Andrew Nicols |
| CVE identifier: | CVE-2019-3852 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410 |
| Tracker issue: | MDL-64410 get_with_capability_join/get_users_by_capability not aware of context freezing |
There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.2 and 3.5 to 3.5.4 |
| Versions fixed: | 3.6.3 and 3.5.5 |
| Reported by: | Martin von Löwis and Luca Bösch |
| CVE identifier: | CVE-2019-3851 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706 |
| Tracker issue: | MDL-64706 Secure layout contained an insecure link in Boost theme |
Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions |
| Versions fixed: | 3.6.3, 3.5.5, 3.4.8 and 3.1.17 |
| Reported by: | Steeven George |
| CVE identifier: | CVE-2019-3850 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64651 |
| Tracker issue: | MDL-64651 Stored HTML in assignment submission comments allowed links to be opened directly |
Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.
| Severity/Risk: | Serious |
| Versions affected: | 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions |
| Versions fixed: | 3.6.3, 3.5.5 and 3.4.8 |
| Reported by: | Brendan Cox |
| CVE identifier: | CVE-2019-3849 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702 |
| Tracker issue: | MDL-62702 Users could elevate their role when accessing the LTI tool on a provider site |