MSA-19-0003: User full name is not escaped in the un-linked userpix page

by Michael Hawkins.  

The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions
Versions
Register to read more...

MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php

by Michael Hawkins.  

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.


...
Severity/Risk:Minor
Versions affected:3.1 to 3.1.15 and earlier unsupported versions
Versions fixed:3.1.16
Reported
Register to read more...

MSA-19-0001: Manage groups capability is missing XSS risk flag

by Michael Hawkins.  

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6,
Register to read more...

MSA-18-0020: Login CSRF vulnerability in login form

by Michael Hawkins.  

The login form is not protected by a token to prevent login cross-site request forgery.


...
Severity/Risk:Serious
Versions affected:3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier unsupported versions
Versions fixed:3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15
Reported by:Daniel Thatcher
CVE identifier:CVE-2018-16854
Chan
Register to read more...