Security announcements

MSA-18-0001: Server Side Request Forgery in the filepicker

by Marina Glancy -

By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server


Severity/Risk: Serious
Versions affected: 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to 3.1.9 and earlier unsupported versions
Versions fixed: 3.4.1, 3.3.4, 3.2.7 and 3.1.10
Reported by: Thomas DeVoss
CVE identifier: CVE-2018-1042
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61131
Tracker issue: MDL-61131 Server Side Request Forgery in /repository/repository_ajax.php (Critical for Cloud Hosted Moodle Instances)
Discuss this topic  (0 replies so far)

MSA-17-0021: Students can find out email addresses of other students in the same course

by Marina Glancy -

Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other students


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versions
Versions fixed: 3.4, 3.3.3, 3.2.6 and 3.1.9
Reported by: Tim Schroeder
Workaround: Prohibit capability 'moodle/course:viewparticipants' (View participants) for Student role until Moodle is upgraded
CVE identifier: CVE-2017-15110
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60550
Tracker issue: MDL-60550 Students can find out email addresses of other students who set theirs to "hidden"
Discuss this topic  (0 replies so far)

MSA-17-0020: Admins may not know that exposing vendor directory is a security risk

by Marina Glancy -

Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check.

Manual action may be required from the site admin to remove composer-generated directories or prevent access to them from the web.

Severity/Risk: Serious
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: David Mudrák
CVE identifier: CVE-2017-9841 reported against PHPUnit project, it is relevant to the version used in Moodle development
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59969
Tracker issue: MDL-59969 Admins may not know that exposing vendor directory is a security risk
Discuss this topic  (0 replies so far)

MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course

by Marina Glancy -

This fix may affect plugins using this API function, there is no exploit in standard Moodle


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: Ankit Agarwal
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58953
Tracker issue: MDL-58953 user_can_view_profile() incorrectly assumes $course as $sharedcourse
Discuss this topic  (0 replies so far)

MSA-17-0018: Course reports are not respecting group settings in courses

by Marina Glancy -

Number of course reports allowed teachers to view details about users in the groups they can't access


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: Juan Leyva
CVE identifier: CVE-2017-12157
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58762
Tracker issue: MDL-58762 Course reports are not respecting group settings in courses
Discuss this topic  (0 replies so far)

MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback

by Marina Glancy -

Form on the feedback "non-respondents" page does not escape the value of subject thus creating self-XSS. This can be used to attack another user by tricking them into opening malicious URL whilst in an open Moodle session


Severity/Risk: Minor
Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions
Versions fixed: 3.3.2, 3.2.5 and 3.1.8
Reported by: JPCERT/CC
CVE identifier: CVE-2017-12156
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59972
Tracker issue: MDL-59972 XSS in contact form on "non-respondents" page (mod_feedback)
Discuss this topic  (0 replies so far)

MSA-17-0016: Authentication bypass vulnerability with old CAS servers

by Marina Glancy -

Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major Moodle release. See also https://github.com/Jasig/phpCAS/issues/228


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: ngocdh
CVE identifier: CVE-2017-1000071 (requested by phpCAS)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59456
Tracker issue: MDL-59456 Authentication bypass vulnerability on phpCAS library
Discuss this topic  (0 replies so far)

MSA-17-0015: Course creators are able to change system default settings for courses

by Marina Glancy -

Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Thomas Jaisson
CVE identifier: CVE-2017-7532
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59409
Tracker issue: MDL-59409 Course creators are able to change system default settings for courses
Discuss this topic  (0 replies so far)

MSA-17-0014: Course overview block reveals activities in hidden courses

by Marina Glancy -

Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.


Severity/Risk: Minor
Versions affected: 3.3
Versions fixed: 3.3.1
Reported by: Charles Fulton
CVE identifier: CVE-2017-7531
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59304
Tracker issue: MDL-59304 Course overview block reveals activities in hidden courses
Discuss this topic  (0 replies so far)

MSA-17-0006: User fullname disclosure on user preferences page

by Marina Glancy -

Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names


Severity/Risk: Minor
Versions affected: 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions
Versions fixed: 3.3.1, 3.2.4 and 3.1.7
Reported by: Andreas Grabs
CVE identifier: CVE-2017-2642
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56565
Tracker issue: MDL-56565 User fullname disclosure on user preferences page
Discuss this topic  (0 replies so far)