Security announcements | Moodle.org

Forums
Documentation
Downloads
Demo
Tracker
Development
Translation
Search

Search
Moodle Sites

Moodle.org

Security announcements

Description:	A flaw in the third-party CAS library, utilised by Moodle, has been found, which could potentially allow unauthorised access and privilege escalation.
Issue summary:	Upgrade phpCAS to 1.3.3 or greater - security vulnerabilities
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.1, 2.6 to 2.6.4, 2.5 to 2.5.7 and earlier unsupported versions
Versions fixed:	2.7.2 and 2.6.5 (NOTE: A fix to 2.5 was not possible. CAS users with Moodle 2.5 or earlier are encouraged to upgrade to a more recent release.)
Reported by:	Eric Merrill
Issue no.:	MDL-46766
CVE identifier:	CVE-2014-4172
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46766

Discuss this topic (0 replies so far)

Description:	Fields in rubrics were not being correctly filtered.
Issue summary:	XSS on the (qualification, rating) field by rubric/advanced grading
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Javier E. García Prada
Issue no.:	MDL-46223
CVE identifier:	CVE-2014-3551
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46223

Discuss this topic (0 replies so far)

Description:	Error messages generated by scheduled tasks were being presented to admins without correct filtering.
Issue summary:	XSS in scheduled tasks success/error message
Severity/Risk:	Serious
Versions affected:	2.7
Versions fixed:	2.7.1
Reported by:	Skylar Kelty
Issue no.:	MDL-46227
CVE identifier:	CVE-2014-3550
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46227

Discuss this topic (0 replies so far)

Description:	Log entries of failed login attempts were not filtered correctly.
Issue summary:	XSS in 'failed login' logs
Severity/Risk:	Serious
Versions affected:	2.7
Versions fixed:	2.7.1
Reported by:	Skylar Kelty
Issue no.:	MDL-46201
CVE identifier:	CVE-2014-3549
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46201

Discuss this topic (0 replies so far)

Description:	Content of exception dialogues presented from AJAX calls was not being escaped before being presented to users.
Issue summary:	Exception dialogs do not escape the content
Severity/Risk:	Minor
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Frédéric Massart
Issue no.:	MDL-45471
CVE identifier:	CVE-2014-3548
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45471

Discuss this topic (0 replies so far)

Description:	The details of badges from external sources were not being filtered.
Issue summary:	XSS vulnerabilities with external badges
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6
Versions fixed:	2.7.1, 2.6.4 and 2.5.7
Reported by:	Frédéric Massart
Issue no.:	MDL-46042
CVE identifier:	CVE-2014-3547
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46042

Discuss this topic (0 replies so far)

Description:	Forum was allowing users who were members of more than one group to post to all groups without the capability to access all groups.
Issue summary:	Forum post to all participants in separate group
Severity/Risk:	Minor
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Jakob Ackermann
Issue no.:	MDL-38990
CVE identifier:	CVE-2014-3553
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-38990

Discuss this topic (0 replies so far)

Description:	It was possible to get limited user information, such as user name and courses, by manipulating the URL of profile and notes pages.
Issue summary:	/user/edit.php reveals account name
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Patrick Webster
Issue no.:	MDL-45760
CVE identifier:	CVE-2014-3546
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45760

Discuss this topic (0 replies so far)

Description:	It was possible to inject code into Calculated questions that would be executed on the server.
Issue summary:	Remote code execution in quiz calculated question
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Frédéric Massart
Issue no.:	MDL-46148
CVE identifier:	CVE-2014-3545
Workaround:	Disable calculated question types.
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-46148

Discuss this topic (0 replies so far)

Description:	Filtering of the Skype profile field was not removing potentially harmful code.
Issue summary:	Persistent XSS Found
Severity/Risk:	Serious
Versions affected:	2.7, 2.6 to 2.6.3, 2.5 to 2.5.6, 2.4 to 2.4.10 and earlier unsupported versions
Versions fixed:	2.7.1, 2.6.4, 2.5.7 and 2.4.11
Reported by:	Osanda Malith Jayathissa
Issue no.:	MDL-45683
CVE identifier:	CVE-2014-3544
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45683

Discuss this topic (0 replies so far)