| Topic: | Persistent XSS when using Login-as feature |
| Severity/Risk: | Major |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21769 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | see Version control tab in tracker issue |
Description:
Users may trick admins into using the "Login as" feature to edit some existing posts which contain XSS exploit code.
| Topic: | Reflective Cross Site Scripting (XSS) in the Moodle Global Search Engine |
| Severity/Risk: | Major (if global search enabled) |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21649 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/search/query.php?r1=1.16.2.10&r2=1.16.2.11 |
Description:
Sascha Herzog found a problem in the handling of user submitted data in global search forms. This problem is exploitable only when global search is enabled. Please note that the global search feature is still listed as experimental and is disabled by default.
| Topic: | SQL injection in Wiki module |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Matthew Slowe |
| Issue no.: | MDL-21818 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/mod/wiki/view.php?r1=1.76.2.6&r2=1.76.2.7 or remove mod/wiki/* if wiki module not used |
Description:
Matthew Slowe discovered that the data passed to add_to_log() function in wiki module is not sanitised properly, this could allow SQL injection type attacks if there are any instances of wiki in your courses.
| Topic: | Incorrect validation of forms data |
| Severity/Risk: | Critical |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sascha Herzog |
| Issue no.: | MDL-21767 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/lib/form/selectgroups.php?r1=1.2.4.2&r2=1.2.4.3 or http://cvs.moodle.org/moodle/lib/form/select.php?r1=1.10.4.2&r2=1.10.4.3 |
Description:
Sascha Herzog discovered a SQL injection exploit in several forms, this was caused by incorrect data validation in some forms elements.
| Topic: | Improved access control in course restore |
| Severity/Risk: | Minor |
| Versions affected: | 1.8.x and <1.9.8 |
| Reported by: | multiple reports |
| Issue no.: | MDL-16658, MDL-19233 |
| Solution: | upgrade to 1.9.8 |
| Workaround: | none |
Description:
The restoring of courses sometimes resulted in creation of new roles - that code should be now more reliable. Please note that all the users that are allowed to restore backup files must be trustworthy.
| Topic: | Disclosure of full user names |
| Severity/Risk: | Minor - privacy |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Klaus Kirchner |
| Issue no.: | MDL-21830 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/user/view.php?r1=1.168.2.28&r2=1.168.2.29 |
Description:
Klaus Kirchner identified a problem in the course profile page which allowed ordinary users to find out names of other users - see http://moodle.org/mod/forum/discuss.php?d=145967 for more details.
| Topic: | XSS vulnerabilty in the phpcas module |
| Severity/Risk: | Major (if using CAS) |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Joachim Fritschi |
| Issue no.: | MDL-21802 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | use CAS/Client.php from latest release |
Description:
We have backported a fix for a security problem fixed in recent version of PHP CAS client library - http://www.ja-sig.org/issues/browse/PHPCAS-52. The problem can be exploited only if CAS authentication is enabled and used on your site.
| Topic: | Vulnerability in KSES text cleaning |
| Severity/Risk: | Major |
| Versions affected: | <1.8.12 and <1.9.8 |
| Reported by: | Sam Marshall |
| Issue no.: | MDL-21026 |
| Solution: | upgrade to 1.8.12 or 1.9.8 |
| Workaround: | apply patch http://cvs.moodle.org/moodle/lib/weblib.php?r1=1.1349&r2=1.1350 |
Description:
Sam Marshall discovered a serious vulnerability in the KSES html text cleaning library that Moodle includes, please upgrade all sites in order to prevent XSS attacks from any registered user.
| Topic: | SQL injection in SCORM module |
| Severity/Risk: | Minor |
| Versions affected: | <1.8.11 and <1.9.7 |
| Reported by: | Andrea Tuccia |
| Issue no.: | MDL-20955 |
| Solution: | upgrade to 1.8.11 or 1.9.7 |
| Workaround: | none |
Description:
Andrea Tuccia discovered escaping issue when processing AICC CRS file (Course_Title). The problem is marked as minor because only trusted users are allow to upload SCORM packages.
| Topic: | New detection of insecure flash player plugins |
| Severity/Risk: | Major |
| Versions affected: | <1.9.7 |
| Reported by: | internal code review |
| Issue no.: | MDL-20841 |
| Solution: | upgrade to 1.9.7 |
| Workaround: | none |
Description:
Older Flash versions that do not respect the download http header may be used to gain unauthorised access. Moodle is now able to detect obsolete and vulnerable Flash plugin versions. Moodle will actually refuse to send uploaded files to older Flash plugins and will instead send an alternative Flash file that asks users to upgrade. All administrators and teachers should upgrade their computers as soon as possible.
