MSA-17-0008: XSS in evidence of prior learning

by Marina Glancy.  

...
Description:Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence
Issue summary:XSS in evidence of prior learning
Severity/Risk:Minor
Versions affected:3.2 to 3.2.1 and 3.1 to 3.1.4
Versions fixed:3.2.2 and 3.1.5
Reported by:Jaymark
Register to read more...

MSA-17-0007: Global search displays user names for unauthenticated users

by Marina Glancy.  

...
Description:Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed)
Issue summary:Global search display user names, for unauthenticated user search
Severity/Risk:Minor
Versions affected:3.2 to 3.2.1
Versions fixed:3.2.2
Reporte
Register to read more...

MSA-17-0005: SQL injection via user preferences

by Marina Glancy.  

...
Description:PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services.
Issue summary:Remote Code Execution @ 3.2.1
Severity/Risk:Serious
Versions affected:3.2 to 3.2.1,
Register to read more...

MSA-17-0004: XSS in assignment submission page

by Marina Glancy.  

...
Description:HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it
Issue summary:XSS in assignment submission page
Severity/Risk:Minor
Versions affected:3.2 and 3.1 to 3.1.3
Versions fixed:3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8
Register to read more...