Security announcements | Moodle.org

Forums
Documentation
Plugins
Downloads
Demo
Development
Translation
Tracker
Search

Search
Other Moodle sites

Moodle.org

Security announcements

Description:	Users with capability to grade in Lesson module were not reported as users with XSS risk but their feedback was displayed without cleaning
Issue summary:	mod/lesson:grade capability missing RISK_XSS but essay feedback is displayed with noclean=true
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.1
Versions fixed:	2.8.2
Reported by:	Damyon Wiese
Issue no.:	MDL-48034
CVE identifier:	CVE-2015-0216
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034

Discuss this topic (0 replies so far)

Description:	Through web-services it was possible to get information about calendar events which user did not have enough permissions to see
Issue summary:	calendar/externallib.php lacks self::validate_context($context);
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed:	2.8.2, 2.7.4 and 2.6.7
Reported by:	Petr Skoda
Issue no.:	MDL-48017
CVE identifier:	CVE-2015-0215
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017

Discuss this topic (0 replies so far)

Description:	Through web-services it was possible to access messaging-related functions such as people search even if messaging is disabled on the site
Issue summary:	Messages external functions doesn't check if messaging is enabled
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed:	2.8.2, 2.7.4 and 2.6.7
Reported by:	Juan Leyva
Issue no.:	MDL-48329
Workaround:	Disable web services or disable individual message-related functions
CVE identifier:	CVE-2015-0214
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329

Discuss this topic (0 replies so far)

Description:	Two files in the Glossary module lacked a session key check potentially allowing cross-site request forgery
Issue summary:	Multiple CSRF in mod glossary
Severity/Risk:	Serious
Versions affected:	2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed:	2.8.2, 2.7.4 and 2.6.7
Reported by:	Ankit Agarwal
Issue no.:	MDL-48106
CVE identifier:	CVE-2015-0213
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106

Discuss this topic (0 replies so far)

Description:	Course summary on course request pending approval page was displayed to the manager unescaped and could be used for XSS attack
Issue summary:	XSS in course request pending approval page (Privilege Escalation?)
Severity/Risk:	Serious
Versions affected:	2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed:	2.8.2, 2.7.4 and 2.6.7
Reported by:	Skylar Kelty
Issue no.:	MDL-48368
Workaround:	Grant permission moodle/course:request only to trusted users
CVE identifier:	CVE-2015-0212
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368

Discuss this topic (0 replies so far)

Description:	Absence of capability check in AJAX backend script could allow any enrolled user to search the list of registered tools
Issue summary:	mod/lti/ajax.php security problems
Severity/Risk:	Minor
Versions affected:	2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier unsupported versions
Versions fixed:	2.8.2, 2.7.4 and 2.6.7
Reported by:	Petr Skoda
Issue no.:	MDL-47920
CVE identifier:	CVE-2015-0211
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920

Discuss this topic (0 replies so far)

Description:	Session key check was missing on return page in module LTI allowing attacker to include arbitrary message in URL query string
Issue summary:	mod/lti/return.php allows attacker to print arbitrary message
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47927
CVE identifier:	-
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47927

Discuss this topic (0 replies so far)

Description:	Set tracking script in the Forum module lacked a session key check potentially allowing cross-site request forgery.
Issue summary:	CSRF in mod/forum/settracking.php
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-48019
CVE identifier:	CVE-2014-7838
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48019

Discuss this topic (0 replies so far)

Description:	By tweaking URLs, users who were able to delete pages in at least one Wiki activity in the course were able to delete pages in other Wiki pages in the same course.
Issue summary:	unvalidated parameters in mod/wiki/admin.php
Severity/Risk:	Minor
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47949
CVE identifier:	CVE-2014-7837
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47949

Discuss this topic (0 replies so far)

Description:	Two files in the LTI module lacked a session key check potentially allowing cross-site request forgery.
Issue summary:	CSRF in mod/lti/request_tool.php and mod/lti/instructor_edit_tool_type.php
Severity/Risk:	Serious
Versions affected:	2.7 to 2.7.2, 2.6 to 2.6.5, 2.5 to 2.5.8 and earlier unsupported versions
Versions fixed:	2.8, 2.7.3, 2.6.6 and 2.5.9
Reported by:	Petr Skoda
Issue no.:	MDL-47924
CVE identifier:	CVE-2014-7836
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47924

Discuss this topic (0 replies so far)