Security announcements

MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

per Michael Hawkins -

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed: 3.7.3, 3.6.7 and 3.5.9
Reported by: Yusuf Yilmaz, Mick Cassell
CVE identifier: CVE-2019-14879
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257
Tracker issue: MDL-66257 Assigned Role in Cohort did not un-assign on removal
Debateu este tema  (0 respostes fins ara)

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

per Michael Hawkins -

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: John Couzins
Workaround: Set a different subscription mode (eg optional or auto) on forums until the patch is applied.
CVE identifier: CVE-2019-14831
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55451
Tracker issue: MDL-55451 Forum subscribe link contained an open redirect if forced subscription mode was enabled
Debateu este tema  (0 respostes fins ara)

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

per Michael Hawkins -

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


Severity/Risk: Serious
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: Frederik Schou Schmidt
Workaround: Configure the "Forced URL scheme" (forcedurlscheme) option in site administration to either the app's custom URL scheme, or "moodlemobile" for sites using the standard Moodle app. Alternative workaround options include disabling mobile service (enablemobilewebservice), or changing the mobile app login method (typeoflogin) to "via the app" if possible (instead of via SSO plugin) until the patch is applied.
CVE identifier: CVE-2019-14830
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501
Tracker issue: MDL-66501 Open redirect in the mobile launch endpoint could be used to expose mobile access tokens
Debateu este tema  (0 respostes fins ara)

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

per Michael Hawkins -

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: Andrew Nicols
CVE identifier: CVE-2019-14829
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66187
Tracker issue: MDL-66187 Activity :addinstance capabilities were not respected when creating a course in single activity format
Debateu este tema  (0 respostes fins ara)

MSA-19-0020: Python Machine Learning dependency versions bumped

per Michael Hawkins -

The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: David Monllaó
CVE identifier: N/A
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66069
Tracker issue: MDL-66069 Python Machine Learning dependency versions bumped
Debateu este tema  (0 respostes fins ara)

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

per Michael Hawkins -

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.


Severity/Risk: Minor
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: Andrew Nicols
CVE identifier: CVE-2019-14828
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66181
Tracker issue: MDL-66181 Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course
Debateu este tema  (1 resposta fins ara)

MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

per Michael Hawkins -

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.


Severity/Risk: Serious
Versions affected: 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed: 3.7.2, 3.6.6 and 3.5.8
Reported by: Sam Hemelryk, Andrew Nicols
CVE identifier: CVE-2019-14827
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284
Tracker issue: MDL-62284 JavaScript injection possible in some Mustache templates via recursive rendering from contexts
Debateu este tema  (0 respostes fins ara)

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

per Michael Hawkins -

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


Severity/Risk: Minor
Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed: 3.7.1, 3.6.5 and 3.5.7
Reported by: Dan Marsden
CVE identifier: CVE-2018-17057
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64794
Tracker issue: MDL-64794 Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)
Debateu este tema  (0 respostes fins ara)

MSA-19-0016: Assignment group overrides did not observe separate groups mode

per Michael Hawkins -

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


Severity/Risk: Minor
Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed: 3.7.1, 3.6.5 and 3.5.7
Reported by: David Monllaó
CVE identifier: CVE-2019-10189
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61114
Tracker issue: MDL-61114 Assignment group overrides did not observe separate groups mode
Debateu este tema  (0 respostes fins ara)

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

per Michael Hawkins -

Teachers in a quiz group could modify group overrides for other groups in the same quiz.


Severity/Risk: Minor
Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed: 3.7.1, 3.6.5 and 3.5.7
Reported by: Charl Nel
CVE identifier: CVE-2019-10188
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34411
Tracker issue: MDL-34411 Quiz group overrides did not observe groups membership or accessallgroups
Debateu este tema  (0 respostes fins ara)