MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

by Michael Hawkins.  

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions
Leer más...

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

by Michael Hawkins.  

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Dan Marsden
CVE identifier:CVE-2018-1705
Leer más...

MSA-19-0016: Assignment group overrides did not observe separate groups mode

by Michael Hawkins.  

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:David Monllaó
CVE identifier:CVE-2019-10189
Changes (master):http://git.moo
Leer más...

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

by Michael Hawkins.  

Teachers in a quiz group could modify group overrides for other groups in the same quiz.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Charl Nel
CVE identifier:CVE-2019-10188
Changes (master):http://git.moodle.org/gw?p=mood
Leer más...