Security announcements | Moodle.org

MSA-15-0024: User with suspended enrolment can see sections in the navigation tree

by Marina Glancy - Monday, 18 May 2015, 9:04 AM

Description:	If a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see course structure in the navigation block
Issue summary:	User with suspended enrolment can see sections in the navigation tree
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Alex Mitin
Issue no.:	MDL-49788
CVE identifier:	CVE-2015-3180
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0023: Suspended user is able to login when confirming email

by Marina Glancy - Monday, 18 May 2015, 9:03 AM

Description:	When self-registration is enabled and user's account was suspended after creating account but before actually confirming it, user is still able to login when confirming email but only once.
Issue summary:	Suspended user is able to login when confirming email
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Marina Glancy
Issue no.:	MDL-50090
CVE identifier:	CVE-2015-3179
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services

by Marina Glancy - Monday, 18 May 2015, 9:02 AM

Description:	If user who is not XSS-trusted attempts to insert the XSS as part of the input text, it will be cleaned when displayed on Moodle website but may be displayed uncleaned in the external application
Issue summary:	external_format_text() cleans and formats text incorrectly
Severity/Risk:	Serious
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Eloy Lafuente
Issue no.:	MDL-49718
CVE identifier:	CVE-2015-3178
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules

by Marina Glancy - Monday, 18 May 2015, 9:01 AM

Description:	If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see.
Issue summary:	Any authenticated user can subscribe to site wide event monitor rules
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5
Versions fixed:	2.9 and 2.8.6
Reported by:	Adrian Greeve
Issue no.:	MDL-50039
Workaround:	Do not use site-wide rules until your site is upgraded
CVE identifier:	CVE-2015-3177
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0020: User fullname disclosure through account confirmation link

by Marina Glancy - Monday, 18 May 2015, 9:00 AM

Description:	On the sites with enabled self-registration not registered users can retrieve fullname of registered users knowing their usernames
Issue summary:	User fullname disclosure through account confirmation link
Severity/Risk:	Serious
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Federico Kirschbaum
Issue no.:	MDL-50099
Workaround:	Even partial patch (removing one line in /login/confirm.php) will also resolve security issue
CVE identifier:	CVE-2015-3176
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0019: Possible phishing when redirecting to external site using referer header

by Marina Glancy - Monday, 18 May 2015, 8:59 AM

Description:	Some error messages in Moodle display button to return to previous page. Redirecting to non-local referer should not be allowed as it can potentially be used for phising.
Issue summary:	get_referer() used with redirect() can be insecure
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Dingjie Yang
Issue no.:	MDL-49179
CVE identifier:	CVE-2015-3175
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that

by Marina Glancy - Monday, 18 May 2015, 8:54 AM

Description:	Leaving gradebook feedback is a trusted action and such capabilities in other modules already have XSS mask, 'mod/quiz:grade' was missing this flag.
Issue summary:	Quiz manual-grading is an XSS risk, but does not declare that
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions
Versions fixed:	2.9, 2.8.6, 2.7.8 and 2.6.11
Reported by:	Hugh Davenport
Issue no.:	MDL-49941
CVE identifier:	CVE-2015-3174
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0017: XSS in quiz statistics report

by Marina Glancy - Monday, 16 March 2015, 11:08 AM

Description:	Quiz statistics report did not properly escape student responses and could be used for XSS attack
Issue summary:	XSS in quiz statistics report
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed:	2.8.4, 2.7.6 and 2.6.9
Reported by:	Tim Hunt
Issue no.:	MDL-49364
CVE identifier:	CVE-2015-2273
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49364

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0016: Web services token can be created for user with temporary password

by Marina Glancy - Monday, 16 March 2015, 11:08 AM

Description:	Even when user's password is forced to be changed on login, user could still use it for authentication in order to create the web service token and therefore extend the life of the temporary password via web services.
Issue summary:	login/token.php does not check if auth_forcepasswordchange is on for the user
Severity/Risk:	Serious
Versions affected:	2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed:	2.8.4, 2.7.6 and 2.6.9
Reported by:	Juan Leyva
Issue no.:	MDL-48691
CVE identifier:	CVE-2015-2272
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48691

Permalink

Discuss this topic  (0 replies so far)

MSA-15-0015: User without proper permission is able to mark the tag as inappropriate

by Marina Glancy - Monday, 16 March 2015, 11:07 AM

Description:	Very minor case of not respecting capability, it does not affect majority of sites since this capability is given to authenticated users by default
Issue summary:	Capability moodle/tag:flag not observed
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.3, 2.7 to 2.7.5, 2.6 to 2.6.8 and earlier unsupported versions
Versions fixed:	2.8.4, 2.7.6 and 2.6.9
Reported by:	Frédéric Massart
Issue no.:	MDL-49084
CVE identifier:	CVE-2015-2271
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49084

Permalink

Discuss this topic  (0 replies so far)