MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL has been updated to reference a newer version, which has the vulnerability patched.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, 3.7.6, 3.6.10 |
It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, |
Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions |
| Versions fixed: | 3.8.2, 3.7.5, 3.6.9 and 3.5.11 |
| R |
X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...
Insufficient input escaping was applied to the PHP unit webrunner admin tool.
NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have...
Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 |
| Versions fixed: | 3.8.1 |
| Reported by: | Cid da Costa |
| Workaround: | Disable the messaging system until the patch has been applied. |
| CVE identifier: | CVE-2020-1691 |
| Changes (master): | http://g |
When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yusuf Yilmaz, Mick Cassell |
| CVE identifier: | CVE-2019-148 |
OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | CeDiS Team |
User emails required additional sanitizing to prevent blind XSS risk on some pages.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 |
| Versions fixed: | 3.7.3 |
| Reported by: | Yuri Zwaig |
| CVE identifier: | CVE-2019-14881 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762 |
| Tracker |
An open redirect existed in the Lesson edit page.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2019-14882 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 and 3.6 to 3.6.6 |
| Versions fixed: | 3.7.3 and 3.6.7 |
| Reported by: | Juan Leyva |
| C |
Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yuriy Dyachenko |
| CVE identifier: | CVE-2019-14884 |
| Changes (master): | http://git |
Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions |
Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Rep |
The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier |
Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Reported by: | Andrew Nicols |
| CVE identifier: | CVE-2 |
The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
| Severity/Risk: | Serious |
| Versions |
If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Reported by: | John Couzins |
| Workaround: | Set a different |
A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Callum Carney |
| CVE identifier: | CVE-2019-10186 |
| Changes (master): | http://git.moodle.org/gw?p=mo |