MSA-18-0007: Calculated question type allows remote code execution by Question authors

by Marina Glancy.  

Teacher creating Calculated question can intentionally cause remote code execution on server


...
Severity/Risk:Serious
Versions affected:3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions
Versions fixed:3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12
Reported by:Robin Peraglie
CVE identifier:CVE-2018-1133
Cha
Leer más...

MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site

by Marina Glancy.  

If a user account using OAuth2 authentication method was once confirmed but later suspended, user could still login to the site


...
Severity/Risk:Minor
Versions affected:3.4 to 3.4.1, 3.3 to 3.3.4
Versions fixed:3.4.2 and 3.3.5
Reported by:Helen Foster
CVE identifier:CVE-2018-1082
Changes (master):http://git.moodle.org/gw?p=moodle.git
Leer más...

MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script

by Marina Glancy.  

Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed


...
Severity/Risk:Serious
Versions affected:3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions
Versions fixed:3.4.2, 3.3.5, 3.2.8 and 3.1.11
Reported by:Brend
Leer más...

MSA-18-0004: XSS in calendar event name

by Marina Glancy.  

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.


...
Severity/Risk:Minor
Versions affected:3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to
Leer más...