Security announcements

MSA-19-0010: All messaging conversations could be viewed

by Michael Hawkins - Monday, May 20, 2019, 2:38 PM

A web service fetching messages was not restricted to the current user's conversations.

Severity/Risk:	Serious
Versions affected:	3.6 to 3.6.3
Versions fixed:	3.7, 3.6.4
Reported by:	Mazen Gamal
Workaround:	Disable the messaging system until the fix is applied.
CVE identifier:	CVE-2019-10154
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65365
Tracker issue:	MDL-65365 All messaging conversations could be viewed

(Edited 11 June 2019 to update the CVE identifier.)

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

by Michael Hawkins - Tuesday, March 19, 2019, 11:17 AM

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities

Severity/Risk:	Minor
Versions affected:	3.6 to 3.6.2
Versions fixed:	3.6.3
Reported by:	Andrew Nicols
CVE identifier:	CVE-2019-3852
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410
Tracker issue:	MDL-64410 get_with_capability_join/get_users_by_capability not aware of context freezing

MSA-19-0008: Secure layout contained an insecure link in Boost theme

by Michael Hawkins - Tuesday, March 19, 2019, 11:16 AM

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.

Severity/Risk:	Minor
Versions affected:	3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed:	3.6.3 and 3.5.5
Reported by:	Martin von Löwis and Luca Bösch
CVE identifier:	CVE-2019-3851
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706
Tracker issue:	MDL-64706 Secure layout contained an insecure link in Boost theme

MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly

by Michael Hawkins - Tuesday, March 19, 2019, 11:15 AM

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.

Severity/Risk:	Minor
Versions affected:	3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed:	3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by:	Steeven George
CVE identifier:	CVE-2019-3850
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64651
Tracker issue:	MDL-64651 Stored HTML in assignment submission comments allowed links to be opened directly

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

by Michael Hawkins - Tuesday, March 19, 2019, 11:14 AM

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.

Severity/Risk:	Serious
Versions affected:	3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed:	3.6.3, 3.5.5 and 3.4.8
Reported by:	Brendan Cox
CVE identifier:	CVE-2019-3849
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702
Tracker issue:	MDL-62702 Users could elevate their role when accessing the LTI tool on a provider site

MSA-19-0005: Logged in users could view all calendar events

by Michael Hawkins - Tuesday, March 19, 2019, 11:10 AM

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)

Severity/Risk:	Serious
Versions affected:	3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7
Versions fixed:	3.6.3, 3.5.5 and 3.4.8
Reported by:	Juan Leyva
CVE identifier:	CVE-2019-3848
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64830
Tracker issue:	MDL-64830 Logged in users could view all calendar events

MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins - Tuesday, March 19, 2019, 11:06 AM

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this fix removes access to other users' Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented, which allowed the risk to be removed while retaining Dashboard access. If you require access to Dashboards through the login-as feature, we recommend upgrading to Moodle 3.5 or above (noting that 3.1 and 3.4 will also no longer receive security updates after their next releases in May 2019).

Severity/Risk:	Serious
Versions affected:	3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed:	3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by:	Daniel Thatcher
Workaround:	Use incognito/private browsing mode when using the "Log in as" functionality, then close the private window before logging back in as your own user, to minimise session or cookie related risks. Alternatively, avoid visiting the Dashboard when logged in as other users until patch is applied.
CVE identifier:	CVE-2019-3847
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63786
Tracker issue:	MDL-63786 "Log in as" functionality exposed to JavaScript risk on other users' Dashboards

MSA-19-0003: User full name is not escaped in the un-linked userpix page

by Michael Hawkins - Monday, January 21, 2019, 12:17 PM

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.

Severity/Risk:	Minor
Versions affected:	3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed:	3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reported by:	Fariskhi Vidyan
CVE identifier:	CVE-2019-3810
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372
Tracker issue:	MDL-64372 User full name is not escaped in the un-linked userpix page

MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php

by Michael Hawkins - Monday, January 21, 2019, 12:16 PM

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

Severity/Risk:	Minor
Versions affected:	3.1 to 3.1.15 and earlier unsupported versions
Versions fixed:	3.1.16
Reported by:	Alejandro Parodi
Workaround:	Ensure your firewall rules effectively protect other internal hosts and ports from unauthorised access.
CVE identifier:	CVE-2019-3809
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
Tracker issue:	MDL-64222 Blind SSRF risk in /badges/mybackpack.php

MSA-19-0001: Manage groups capability is missing XSS risk flag

by Michael Hawkins - Monday, January 21, 2019, 12:14 PM

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

Severity/Risk:	Minor
Versions affected:	3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed:	3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reported by:	Fariskhi Vidyan
CVE identifier:	CVE-2019-3808
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395
Tracker issue:	MDL-64395 Manage groups capability is missing XSS risk flag