Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Security announcements

Description:	By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary:	User firstname/lastname not sanitized when sending emails
Severity/Risk:	Minor
Versions affected:	3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed:	3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by:	Pierre Guinoiseau
Issue no.:	MDL-55069
Workaround:	Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier:	CVE-2016-5013
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069

Discuss this topic (0 replies so far)

Description:	When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary:	Possible to see glossary entries in courses you are not enrolled in
Severity/Risk:	Minor
Versions affected:	3.1
Versions fixed:	3.1.1
Reported by:	Mary Cooch
Issue no.:	MDL-54844
CVE identifier:	CVE-2016-5012
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844

Discuss this topic (0 replies so far)

Description:	CSRF possible in the URL that marks forum posts as read
Issue summary:	Forum markposts.php missing sesskey check
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Andrew Nicols
Issue no.:	MDL-53755
CVE identifier:	CVE-2016-3734
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

Discuss this topic (0 replies so far)

Description:	During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary:	Course idnumber not protected from teacher restore
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Donna Hrynkiw
Issue no.:	MDL-51369
CVE identifier:	CVE-2016-3733
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

Discuss this topic (0 replies so far)

Description:	Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary:	Badges code checks viewotherbadges capability in the wrong context
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6 and 2.8.12
Reported by:	Tim Hunt
Issue no.:	MDL-53589
CVE identifier:	CVE-2016-3732
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

Discuss this topic (0 replies so far)

Description:	Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary:	Information disclosure of hidden forum names and sub-names.
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed:	3.0.4, 2.9.6 and 2.8.12
Reported by:	Callum Carney
Issue no.:	MDL-53696
CVE identifier:	CVE-2016-3731
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

Discuss this topic (0 replies so far)

This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Discuss this topic (0 replies so far)

Description:	User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary:	Tricky users can change locked profile fields
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Vadim Dvorovenko
Issue no.:	MDL-53954
CVE identifier:	CVE-2016-3729
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

Discuss this topic (0 replies so far)

Description:	Students were able to add assignment submissions after the due date through web service
Issue summary:	External function mod_assign_save_submission does not check due dates
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Juan Leyva
Issue no.:	MDL-52901
CVE identifier:	CVE-2016-2159
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901

Discuss this topic (0 replies so far)

Description:	Improve security when following external links that were added with _blank target
Issue summary:	Add no referrer to links with _blank target attribute
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Hugh Davenport
Issue no.:	MDL-52651
CVE identifier:	CVE-2016-2190
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651

Discuss this topic (0 replies so far)