Security announcements

MSA-20-0017: Privilege escalation within a course when restoring role overrides

by Michael Hawkins -

Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by: Matt Petro
CVE identifier: CVE-2020-25699
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56310
Tracker issue: MDL-56310 Privilege escalation within a course when restoring role overrides
Discuss this topic  (0 replies so far)

MSA-20-0016: Teacher is able to unenrol users without permission using course restore

by Michael Hawkins -

Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions
Versions fixed: 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15
Reported by: Roman Sevostyanov
CVE identifier: CVE-2020-25698
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67837
Tracker issue: MDL-67837 Teacher is able to unenrol users without permission using course restore
Discuss this topic  (0 replies so far)

MSA-20-0015: Chapter name in book not always escaped with forceclean enabled

by Michael Hawkins -

It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.

Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean enabled.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7
Versions fixed: 3.9.2, 3.8.5 and 3.7.8
Reported by: DegrangeM
CVE identifier: CVE-2020-25631
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69048
Tracker issue: MDL-69048 Chapter name in book not always escaped with forceclean enabled
Discuss this topic  (0 replies so far)

MSA-20-0014: Denial of service risk in file picker unzip functionality

by Michael Hawkins -

The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Ivan Novichkov
CVE identifier: CVE-2020-25630
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65115
Tracker issue: MDL-65115 Denial of service risk in file picker unzip functionality
Discuss this topic  (0 replies so far)

MSA-20-0013: "Log in as" capability in a course context may lead to some privilege escalation

by Michael Hawkins -

Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.


Severity/Risk: Minor
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Florence Thiard
Workaround: Remove the "Login as other users" capability from the manager role until the patch is applied.
CVE identifier: CVE-2020-25629
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68974
Tracker issue: MDL-68974 "Log in as" capability in a course context may lead to some privilege escalation
Discuss this topic  (0 replies so far)

MSA-20-0012: Reflected XSS in tag manager

by Michael Hawkins -

The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions
Versions fixed: 3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by: Luuk Verhoeven
CVE identifier: CVE-2020-25628
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340
Tracker issue: MDL-69340 Reflected XSS in tag manager
Discuss this topic  (0 replies so far)

MSA-20-0011: Stored XSS via moodlenetprofile parameter in user profile

by Michael Hawkins -

The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.


Severity/Risk: Serious
Versions affected: 3.9 to 3.9.1
Versions fixed: 3.9.2
Reported by: Kien Hoang
CVE identifier: CVE-2020-25627
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240
Tracker issue: MDL-69240 Stored XSS via moodlenetprofile parameter in user profile
Discuss this topic  (0 replies so far)

MSA-20-0010: yui_combo should mitigate denial of service risk

by Michael Hawkins -

yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
Versions fixed: 3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by: Yuri Zwaig
CVE identifier: CVE-2020-14322
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68426
Tracker issue: MDL-68426 yui_combo should mitigate denial of service risk
Discuss this topic  (0 replies so far)

MSA-20-0009: Course enrolments allowed privilege escalation from teacher role into manager role

by Michael Hawkins -

Teachers of a course were able to assign themselves the manager role within that course.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions
Versions fixed: 3.9.1, 3.8.4, 3.7.7 and 3.5.13
Reported by: Kien Hoang
CVE identifier: CVE-2020-14321
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69093
Tracker issue: MDL-69093 Course enrolments allowed privilege escalation from teacher role into manager role
Discuss this topic  (0 replies so far)

MSA-20-0008: Reflected XSS in admin task logs filter

by Michael Hawkins -

The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.


Severity/Risk: Serious
Versions affected: 3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6
Versions fixed: 3.9.1, 3.8.4 and 3.7.7
Reported by: Spyridon Chatzimichail
CVE identifier: CVE-2020-14320
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69128
Tracker issue: MDL-69128 Reflected XSS in admin task logs filter
Discuss this topic  (0 replies so far)