MSA-18-0004: XSS in calendar event name

by Marina Glancy.  

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


...
Severity/Risk:Minor
Versions affected:3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to
Leer más...

MSA-18-0003: Privilege escalation in quiz web services

by Marina Glancy.  

Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app


...
Severity/Risk:Minor
Versions affected:3.4, 3.3 to 3.3.3, 3.2 to 3.2.6 and 3.1 to 3.1.9
Versions fixed:3.4.1, 3.3.4, 3.2.7 and 3.1.10
Reported by:Chirine Nassar
CVE identifier:CVE-2018-1044
Changes
Leer más...

MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames

by Marina Glancy.  

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.


...
Severity/Risk:Minor
Versions
Leer más...

MSA-18-0001: Server Side Request Forgery in the filepicker

by Marina Glancy.  

By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server


...
Severity/Risk:Serious
Versions affected:3.4, 3.3 to 3.3.3, 3.2
Leer más...