Security announcements

MSA-19-0014: Ability to delete glossary entries that belong to another glossary

per Michael Hawkins -

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.


Severity/Risk: Minor
Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed: 3.7.1, 3.6.5 and 3.5.7
Reported by: Peter Dias
CVE identifier: CVE-2019-10187
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64623
Tracker issue: MDL-64623 Ability to delete glossary entries that belong to another glossary
Debateu este tema  (0 respostes fins ara)

MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files

per Michael Hawkins -

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.


Severity/Risk: Minor
Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed: 3.7.1, 3.6.5 and 3.5.7
Reported by: Callum Carney
CVE identifier: CVE-2019-10186
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53689
Tracker issue: MDL-53689 Missing sesskey (CSRF) token in loading/unloading xml files
Debateu este tema  (0 respostes fins ara)

MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions

per Michael Hawkins -

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed: 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by: Guillermo Leon Alvarez Salamanca
Workaround: Disable the "Email to Private files" message handler until the fix is applied. This is disabled by default in Moodle.
CVE identifier: CVE-2019-10134
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61738
Tracker issue: MDL-61738 Private files uploaded via incoming mail processing could bypass quota restrictions
Debateu este tema  (0 respostes fins ara)

MSA-19-0011: Open redirect in upload cohorts page

per Michael Hawkins -

The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed: 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by: Lindon Wass
CVE identifier: CVE-2019-10133
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64708
Tracker issue: MDL-64708 Open redirect in upload cohorts page
Debateu este tema  (0 respostes fins ara)

MSA-19-0010: All messaging conversations could be viewed

per Michael Hawkins -

A web service fetching messages was not restricted to the current user's conversations.


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.3
Versions fixed: 3.7, 3.6.4
Reported by: Mazen Gamal
Workaround: Disable the messaging system until the fix is applied.
CVE identifier: CVE-2019-10154
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65365
Tracker issue: MDL-65365 All messaging conversations could be viewed

(Edited 11 June 2019 to update the CVE identifier.)

Debateu este tema  (0 respostes fins ara)

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

per Michael Hawkins -

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2
Versions fixed: 3.6.3
Reported by: Andrew Nicols
CVE identifier: CVE-2019-3852
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410
Tracker issue: MDL-64410 get_with_capability_join/get_users_by_capability not aware of context freezing
Debateu este tema  (0 respostes fins ara)

MSA-19-0008: Secure layout contained an insecure link in Boost theme

per Michael Hawkins -

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed: 3.6.3 and 3.5.5
Reported by: Martin von Löwis and Luca Bösch
CVE identifier: CVE-2019-3851
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706
Tracker issue: MDL-64706 Secure layout contained an insecure link in Boost theme
Debateu este tema  (0 respostes fins ara)

MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly

per Michael Hawkins -

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by: Steeven George
CVE identifier: CVE-2019-3850
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64651
Tracker issue: MDL-64651 Stored HTML in assignment submission comments allowed links to be opened directly
Debateu este tema  (0 respostes fins ara)

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

per Michael Hawkins -

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5 and 3.4.8
Reported by: Brendan Cox
CVE identifier: CVE-2019-3849
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702
Tracker issue: MDL-62702 Users could elevate their role when accessing the LTI tool on a provider site
Debateu este tema  (0 respostes fins ara)

MSA-19-0005: Logged in users could view all calendar events

per Michael Hawkins -

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7
Versions fixed: 3.6.3, 3.5.5 and 3.4.8
Reported by: Juan Leyva
CVE identifier: CVE-2019-3848
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64830
Tracker issue: MDL-64830 Logged in users could view all calendar events
Debateu este tema  (0 respostes fins ara)