Security announcements | Moodle.org

MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities

by Marina Glancy - Monday, 21 March 2016, 2:11 PM

Description:	Users without capability to view hidden acitivites could still see associated calendar events via web services
Issue summary:	External function get_calendar_events return events that pertains to hidden activities
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Juan Leyva
Issue no.:	MDL-52808
CVE identifier:	CVE-2016-2156
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View

by Marina Glancy - Monday, 21 March 2016, 2:11 PM

Description:	Incorrect capability check in Single View grade report could result in giving a teacher extra permission
Issue summary:	Non-Editing Instructor role can edit exclude checkbox in Single View
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:	3.0.3, 2.9.5 and 2.8.11
Reported by:	Mark McKay
Issue no.:	MDL-52378
CVE identifier:	CVE-2016-2155
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0006: Hidden courses are shown to students in Event Monitor

by Marina Glancy - Monday, 21 March 2016, 2:10 PM

Description:	Users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses
Issue summary:	Hidden courses are shown to students in Event Monitor
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:	3.0.3, 2.9.5 and 2.8.11
Reported by:	Roger
Issue no.:	MDL-51167
Workaround:	Revoke capability to subscribe to Event Monitor rules from regular users
CVE identifier:	CVE-2016-2154
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0005: Reflected XSS in mod_data advanced search

by Marina Glancy - Monday, 21 March 2016, 2:09 PM

Description:	User with higher permissions could be tricked into clicking a link which would result in XSS attack
Issue summary:	Reflected XSS in mod_data advanced search
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Ian Song
Issue no.:	MDL-52727
Workaround:	Educate staff to always use only modern browsers that block such attacks by default
CVE identifier:	CVE-2016-2153
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0004: XSS from profile fields from external db

by Marina Glancy - Monday, 21 March 2016, 2:09 PM

Description:	Moodle traditionally trusted content from external DB however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle
Issue summary:	XSS from profile fields from external db
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Jay Knight
Issue no.:	MDL-50705
CVE identifier:	CVE-2016-2152
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0003: Incorrect capability check when displaying users emails in Participants list

by Marina Glancy - Monday, 21 March 2016, 2:08 PM

Description:	Teachers who otherwise were not supposed to see students' emails could see them in the participants list
Issue summary:	Incorrect capability check when displaying users emails in Participants list
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Matt Jenner
Issue no.:	MDL-52433
CVE identifier:	CVE-2016-2151
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0002: XSS Vulnerability in course management search

by Marina Glancy - Monday, 18 January 2016, 11:50 AM

Description:	Search string in course management interface was not escaped when being output creating potential for XSS attack
Issue summary:	XSS Vulnerability in course management search
Severity/Risk:	Serious
Versions affected:	3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9
Versions fixed:	3.0.2, 2.9.4 and 2.8.10
Reported by:	Oliveira Lima
Issue no.:	MDL-52552
CVE identifier:	CVE-2016-0725
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552

Permalink

Discuss this topic  (0 replies so far)

MSA-16-0001: Two enrolment-related web services don't check course visibility

by Marina Glancy - Monday, 18 January 2016, 11:49 AM

Description:	Web services core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info did not check user permission to access hidden courses
Issue summary:	External functions core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info don't check course visibility
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and earlier unsupported versions
Versions fixed:	3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:	Juan Leyva
Issue no.:	MDL-52072
CVE identifier:	CVE-2016-0724
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0046: Choice module closing date can be bypassed

by Marina Glancy - Monday, 16 November 2015, 12:31 PM

Description:	Users can mock URL to delete or submit new responses after the choice module was closed
Issue summary:	Users can delete and submit new responses even when the choice is closed
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Juan Leyva
Issue no.:	MDL-51569
CVE identifier:	CVE-2015-5342
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0045: SCORM module allows to bypass access restrictions based on date

by Marina Glancy - Monday, 16 November 2015, 12:28 PM

Description:	Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction
Issue summary:	Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Juan Leyva
Issue no.:	MDL-50837
CVE identifier:	CVE-2015-5341
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837

Permalink

Discuss this topic  (0 replies so far)