Security announcements | Moodle.org

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

Security announcements

Description:	Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges
Issue summary:	Capability moodle/badges:viewbadges is not respected
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Marina Glancy
Issue no.:	MDL-51684
CVE identifier:	CVE-2015-5340
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684

Discuss this topic (0 replies so far)

Description:	Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site
Issue summary:	core_enrol_get_enrolled_users returns all participants even with separate groups
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Daniel Palou
Issue no.:	MDL-51861
CVE identifier:	CVE-2015-5339
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861

Discuss this topic (0 replies so far)

Description:	Password-protected lesson modules are subject to CSRF vulnerability
Issue summary:	CSRF in lesson login form
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Ankit Agarwal
Issue no.:	MDL-48109
CVE identifier:	CVE-2015-5338
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109

Discuss this topic (0 replies so far)

Description:	XSS vulnerability caused by Flowplayer flash video player has been addressed
Issue summary:	Flowplayer Reflected XSS
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Andrew Nicols
Issue no.:	MDL-48085
Workaround:	Use HTML5 version of the player in media filter settings
CVE identifier:	CVE-2015-5337
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085

Discuss this topic (0 replies so far)

Description:	Standard survey module is vulnerable to XSS attack by students who fill the survey
Issue summary:	Student XSS in survey
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Hugh Davenport
Issue no.:	MDL-49940
CVE identifier:	CVE-2015-5336
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940

Discuss this topic (0 replies so far)

Description:	Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub
Issue summary:	It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by:	Andrew Davis
Issue no.:	MDL-51091
CVE identifier:	CVE-2015-5335
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091

Discuss this topic (0 replies so far)

Description:	If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area
Issue summary:	Guests can exploit atto draft to store content
Severity/Risk:	Serious
Versions affected:	2.9 to 2.9.2 and 2.8 to 2.8.8
Versions fixed:	2.9.3 and 2.8.9
Reported by:	Frédéric Massart
Issue no.:	MDL-51000
Workaround:	Disable guest access until the fix is applied
CVE identifier:	CVE-2015-5332
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000

Discuss this topic (0 replies so far)

Description:	Insufficient settings check when messaging another user opens spam possibility
Issue summary:	Users who are not in contact list still can send messages though it is blocked in preferences
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.2
Versions fixed:	2.9.3
Reported by:	Pavel Sokolov
Issue no.:	MDL-50426
CVE identifier:	CVE-2015-5331
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426

Discuss this topic (0 replies so far)

Description:	Capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description
Issue summary:	XSS in grouping description
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Marina Glancy
Issue no.:	MDL-50709
CVE identifier:	CVE-2015-5269
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709

Discuss this topic (0 replies so far)

Description:	When viewing ratings the group access was not properly checked allowing users from other groups to view ratings
Issue summary:	Rating component does not check separate groups
Severity/Risk:	Minor
Versions affected:	2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions
Versions fixed:	2.9.2, 2.8.8 and 2.7.10
Reported by:	Juan Leyva
Issue no.:	MDL-50173
CVE identifier:	CVE-2015-5268
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173

Discuss this topic (0 replies so far)