Security announcements

MSA-20-0015: Chapter name in book not always escaped with forceclean enabled

per Michael Hawkins -

It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.

Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7
Versions fixed: 3.9.2, 3.8.5 and 3.7.8
Reported by: DegrangeM
CVE identifier: CVE-2020-25631
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69048
Tracker issue: MDL-69048 Chapter name in book not always escaped with forceclean enabled
Debateu este tema  (0 respostes fins ara)

MSA-20-0014: Denial of service risk in file picker unzip functionality

per Michael Hawkins -

The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Ivan Novichkov
CVE identifier: CVE-2020-25630
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65115
Tracker issue: MDL-65115 Denial of service risk in file picker unzip functionality
Debateu este tema  (0 respostes fins ara)

MSA-20-0013: "Log in as" capability in a course context may lead to some privilege escalation

per Michael Hawkins -

Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Florence Thiard
Workaround: Remove the "Login as other users" capability from the manager role until the patch is applied.
CVE identifier: CVE-2020-25629
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68974
Tracker issue: MDL-68974 "Log in as" capability in a course context may lead to some privilege escalation
Debateu este tema  (0 respostes fins ara)

MSA-20-0012: Reflected XSS in tag manager

per Michael Hawkins -

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Luuk Verhoeven
CVE identifier: CVE-2020-25628
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340
Tracker issue: MDL-69340 Reflected XSS in tag manager
Debateu este tema  (0 respostes fins ara)

MSA-20-0011: Stored XSS via moodlenetprofile parameter in user profile

per Michael Hawkins -

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1
Versions fixed: 3.9.2
Reported by: Kien Hoang
CVE identifier: CVE-2020-25627
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240
Tracker issue: MDL-69240 Stored XSS via moodlenetprofile parameter in user profile
Debateu este tema  (0 respostes fins ara)

MSA-20-0010: yui_combo should mitigate denial of service risk

per Michael Hawkins -

yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
Versions fixed: 3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by: Yuri Zwaig
CVE identifier: CVE-2020-14322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68426
Tracker issue: MDL-68426 yui_combo should mitigate denial of service risk
Debateu este tema  (0 respostes fins ara)

MSA-20-0009: Course enrolments allowed privilege escalation from teacher role into manager role

per Michael Hawkins -

Teachers of a course were able to assign themselves the manager role within that course.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
Versions fixed: 3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by: Kien Hoang
CVE identifier: CVE-2020-14321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69093
Tracker issue: MDL-69093 Course enrolments allowed privilege escalation from teacher role into manager role
Debateu este tema  (0 respostes fins ara)

MSA-20-0008: Reflected XSS in admin task logs filter

per Michael Hawkins -

The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6
Versions fixed: 3.9.1, 3.8.4 and 3.7.7
Reported by: Spyridon Chatzimichail
CVE identifier: CVE-2020-14320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69128
Tracker issue: MDL-69128 Reflected XSS in admin task logs filter
Debateu este tema  (0 respostes fins ara)

MSA-20-0007: Vulnerable JavaScript libraries: jQuery 1.9.1 (upstream)

per Michael Hawkins -

The JQuery version used by the H5P library contained a prototype pollution risk, which has now been updated to a patched version.


Severity/Risk: Minor
Versions affected: 3.8 to 3.8.3
Versions fixed: 3.8.4 and 3.9
Reported by: weblendweb
CVE identifier: CVE-2019-11358
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68704
Tracker issue: MDL-68704 Vulnerable JavaScript libraries: jQuery 1.9.1 (upstream)
Debateu este tema  (0 respostes fins ara)

MSA-20-0006: Remote code execution possible via SCORM packages

per Michael Hawkins -

It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.


Severity/Risk: Serious
Versions affected: 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions
Versions fixed: 3.8.3, 3.7.6, 3.6.10 and 3.5.12
Reported by: Paul Holden
Workaround: Disable the 'SCORM package' activity type until the patch is applied.
CVE identifier: CVE-2020-10738
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410
Tracker issue: MDL-68410 Remote code execution possible via SCORM packages
Debateu este tema  (0 respostes fins ara)