Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Security announcements

Description:	Despite force login setting guests could still access course category details
Issue summary:	Enumeration of category details possible without authentication
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Krista Koivisto
Issue no.:	MDL-52774
CVE identifier:	CVE-2016-2158
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774

Discuss this topic (0 replies so far)

Description:	CSRF possible on admin page, however exploit unlikely benefit anybody and can easily be reversed
Issue summary:	CSRF in Assignment plugin management page
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Paul Holden
Issue no.:	MDL-53031
CVE identifier:	CVE-2016-2157
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031

Discuss this topic (0 replies so far)

Description:	Users without capability to view hidden acitivites could still see associated calendar events via web services
Issue summary:	External function get_calendar_events return events that pertains to hidden activities
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Juan Leyva
Issue no.:	MDL-52808
CVE identifier:	CVE-2016-2156
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808

Discuss this topic (0 replies so far)

Description:	Incorrect capability check in Single View grade report could result in giving a teacher extra permission
Issue summary:	Non-Editing Instructor role can edit exclude checkbox in Single View
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:	3.0.3, 2.9.5 and 2.8.11
Reported by:	Mark McKay
Issue no.:	MDL-52378
CVE identifier:	CVE-2016-2155
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378

Discuss this topic (0 replies so far)

Description:	Users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses
Issue summary:	Hidden courses are shown to students in Event Monitor
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:	3.0.3, 2.9.5 and 2.8.11
Reported by:	Roger
Issue no.:	MDL-51167
Workaround:	Revoke capability to subscribe to Event Monitor rules from regular users
CVE identifier:	CVE-2016-2154
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167

Discuss this topic (0 replies so far)

Description:	User with higher permissions could be tricked into clicking a link which would result in XSS attack
Issue summary:	Reflected XSS in mod_data advanced search
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Ian Song
Issue no.:	MDL-52727
Workaround:	Educate staff to always use only modern browsers that block such attacks by default
CVE identifier:	CVE-2016-2153
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727

Discuss this topic (0 replies so far)

Description:	Moodle traditionally trusted content from external DB however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle
Issue summary:	XSS from profile fields from external db
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Jay Knight
Issue no.:	MDL-50705
CVE identifier:	CVE-2016-2152
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705

Discuss this topic (0 replies so far)

Description:	Teachers who otherwise were not supposed to see students' emails could see them in the participants list
Issue summary:	Incorrect capability check when displaying users emails in Participants list
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions
Versions fixed:	3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:	Matt Jenner
Issue no.:	MDL-52433
CVE identifier:	CVE-2016-2151
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433

Discuss this topic (0 replies so far)

Description:	Search string in course management interface was not escaped when being output creating potential for XSS attack
Issue summary:	XSS Vulnerability in course management search
Severity/Risk:	Serious
Versions affected:	3.0 to 3.0.1, 2.9 to 2.9.3 and 2.8 to 2.8.9
Versions fixed:	3.0.2, 2.9.4 and 2.8.10
Reported by:	Oliveira Lima
Issue no.:	MDL-52552
CVE identifier:	CVE-2016-0725
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52552

Discuss this topic (0 replies so far)

Description:	Web services core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info did not check user permission to access hidden courses
Issue summary:	External functions core_enrol_get_course_enrolment_methods and enrol_self_get_instance_info don't check course visibility
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.1, 2.9 to 2.9.3, 2.8 to 2.8.9, 2.7 to 2.7.11 and earlier unsupported versions
Versions fixed:	3.0.2, 2.9.4, 2.8.10 and 2.7.12
Reported by:	Juan Leyva
Issue no.:	MDL-52072
CVE identifier:	CVE-2016-0724
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52072

Discuss this topic (0 replies so far)