Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 |
| Versions fixed: | 3.8.1 |
| Reported by: | Cid da Costa |
| Workaround: | Disable the messaging system until the patch has been applied. |
| CVE identifier: | CVE-2020-1691 |
| Changes (master): | http://g |
When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yusuf Yilmaz, Mick Cassell |
| CVE identifier: | CVE-2019-148 |
OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | CeDiS Team |
User emails required additional sanitizing to prevent blind XSS risk on some pages.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 |
| Versions fixed: | 3.7.3 |
| Reported by: | Yuri Zwaig |
| CVE identifier: | CVE-2019-14881 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762 |
| Tracker |
An open redirect existed in the Lesson edit page.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2019-14882 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 and 3.6 to 3.6.6 |
| Versions fixed: | 3.7.3 and 3.6.7 |
| Reported by: | Juan Leyva |
| C |
Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yuriy Dyachenko |
| CVE identifier: | CVE-2019-14884 |
| Changes (master): | http://git |
Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions |
Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Rep |
The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier |
Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Reported by: | Andrew Nicols |
| CVE identifier: | CVE-2 |
The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").
| Severity/Risk: | Serious |
| Versions |
If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Reported by: | John Couzins |
| Workaround: | Set a different |
A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Callum Carney |
| CVE identifier: | CVE-2019-10186 |
| Changes (master): | http://git.moodle.org/gw?p=mo |
Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Peter Dias |
| CVE identifier: | CVE-2019 |
Teachers in a quiz group could modify group overrides for other groups in the same quiz.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Charl Nel |
| CVE identifier: | CVE-2019-10188 |
| Changes (master): | http://git.moodle.org/gw?p=mood |
Teachers in an assignment group could modify group overrides for other groups in the same assignment.
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | David Monllaó |
| CVE identifier: | CVE-2019-10189 |
| Changes (master): | http://git.moo |
The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).
| Severity/Risk: | Minor |
| Versions affected: | 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions |
| Versions fixed: | 3.7.1, 3.6.5 and 3.5.7 |
| Reported by: | Dan Marsden |
| CVE identifier: | CVE-2018-1705 |
A web service fetching messages was not restricted to the current user's conversations.
| Severity/Risk: | Serious |
| Versions affected: | 3.6 to 3.6.3 |
| Versions fixed: | 3.7, 3.6.4 |
| Reported by: | Mazen Gamal |
| Workaround: | Disable the messaging system until the fix is applied. |
| CVE identifier: | CVE-2019-10132 |
| Changes (master): | http://git.moodle.org/gw?p= |