Security announcements

MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins -

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this fix removes access to other users' Dashboards while using the login-as functionality. Versions 3.5 and 3.6 have additional sanitizing implemented, which allowed the risk to be removed while retaining Dashboard access. If you require access to Dashboards through the login-as feature, we recommend upgrading to Moodle 3.5 or above (noting that 3.1 and 3.4 will also no longer receive security updates after their next releases in May 2019).


Severity/Risk: Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to 3.1.16 and earlier unsupported versions
Versions fixed: 3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by: Daniel Thatcher
Workaround: Use incognito/private browsing mode when using the "Log in as" functionality, then close the private window before logging back in as your own user, to minimise session or cookie related risks. Alternatively, avoid visiting the Dashboard when logged in as other users until patch is applied.
CVE identifier: CVE-2019-3847
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63786
Tracker issue: MDL-63786 "Log in as" functionality exposed to JavaScript risk on other users' Dashboards
Discuss this topic  (0 replies so far)

MSA-19-0003: User full name is not escaped in the un-linked userpix page

by Michael Hawkins -

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed: 3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reported by: Fariskhi Vidyan
CVE identifier: CVE-2019-3810
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64372
Tracker issue: MDL-64372 User full name is not escaped in the un-linked userpix page
Discuss this topic  (0 replies so far)

MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php

by Michael Hawkins -

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.


Severity/Risk: Minor
Versions affected: 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed: 3.1.16
Reported by: Alejandro Parodi
Workaround: Ensure your firewall rules effectively protect other internal hosts and ports from unauthorised access.
CVE identifier: CVE-2019-3809
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64222
Tracker issue: MDL-64222 Blind SSRF risk in /badges/mybackpack.php
Discuss this topic  (0 replies so far)

MSA-19-0001: Manage groups capability is missing XSS risk flag

by Michael Hawkins -

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.


Severity/Risk: Minor
Versions affected: 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions fixed: 3.6.2, 3.5.4, 3.4.7 and 3.1.16
Reported by: Fariskhi Vidyan
CVE identifier: CVE-2019-3808
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64395
Tracker issue: MDL-64395 Manage groups capability is missing XSS risk flag
Discuss this topic  (0 replies so far)

MSA-18-0020: Login CSRF vulnerability in login form

by Michael Hawkins -

The login form is not protected by a token to prevent login cross-site request forgery.


Severity/Risk: Serious
Versions affected: 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier unsupported versions
Versions fixed: 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15
Reported by: Daniel Thatcher
CVE identifier: CVE-2018-16854
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63183
Tracker issue: MDL-63183 Login CSRF vulnerability in login form
Discuss this topic  (0 replies so far)

MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered

by Michael Hawkins -

The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.


Severity/Risk: Minor
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7 and earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5 and 3.3.8
Reported by: Michael Hawkins
Workaround: Use an alternative theme not based upon Boost until the fix is applied.
CVE identifier: CVE-2018-14631
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62857
Tracker issue: MDL-62857 Boost theme - blog search GET parameter insufficiently filtered
Discuss this topic  (0 replies so far)

MSA-18-0018: QuickForm library remote code vulnerability (upstream)

by Michael Hawkins -

A security vulnerability was reported against QuickForm, a third party library used by Moodle. Although no attack vector was identified within our software, Moodle has updated to patched versions of QuickForm as a precaution.


Severity/Risk: Minor
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7, 3.1 to 3.1.13 and earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
Reported by: Dan Marsden
CVE identifier: CVE-2018-1999022 (PEAR HTML_QuickForm)
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62947
Tracker issue: MDL-62947 QuickForm library remote code vulnerability (upstream)
Discuss this topic  (0 replies so far)

MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution

by Michael Hawkins -

When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.


Severity/Risk: Serious
Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions
Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14
Reported by: Johannes Moritz
CVE identifier: CVE-2018-14630
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880
Tracker issue: MDL-62880 Moodle XML import of ddwtos could lead to intentional remote code execution
Discuss this topic  (0 replies so far)

MSA-18-0016: Quiz question bank import preview could execute JavaScript

by Michael Hawkins -

When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.


Severity/Risk: Minor
Versions affected: 3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions
Versions fixed: 3.5.1, 3.4.4, 3.3.7, 3.1.13
Reported by: Les Bell
CVE identifier: CVE-2018-10891
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62820
Tracker issue: MDL-62820 Quiz question bank import preview could execute JavaScript
Discuss this topic  (0 replies so far)

MSA-18-0015: Web service core_course_get_categories may return invisible categories

by Michael Hawkins -

It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. Note this only affects cases where a user has access to manage categories, but does not also have permission to view hidden categories.


Severity/Risk: Minor
Versions affected: 3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions
Versions fixed: 3.5.1, 3.4.4, 3.3.7, 3.1.13
Reported by: Marina Glancy
CVE identifier: CVE-2018-10890
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62790
Tracker issue: MDL-62790 core_course_get_categories may return invisible categories
Discuss this topic  (0 replies so far)