Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions |
Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Rep |
Some database module web services allowed students to add entries within groups they did not belong to.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Dani Palou |
| CVE identifier: | CVE-2020 |
If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to |
It was possible to include JavaScript when re-naming content bank items.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2 |
| Versions fixed: | 3.10, 3.9.3 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2020-25702 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046 |
| Tracker issue: | MDL-6 |
The participants table download always included user emails, but should have only done so when users' emails are not hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8 |
| Versions fixed: | 3.10, 3.9.3, 3.8.6 and 3.7.9 |
| Reported by: | A. Schenkel |
| CVE identifier: | CVE-2020-25703 |
| Changes (master): | http://g |
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1 |
| Versions fixed: | 3.9.2 |
| Reported by: | Kien Hoang |
| CVE identifier: | CVE-2020-25627 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-692 |
The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, 3.8.5, 3.7.8 and 3.5.14 |
| Reported by: | Luuk Verhoeven |
| CVE identifier: | CVE-2020-25628 |
| Chang |
Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, |
The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, 3.8.5, 3.7.8 and 3.5.14 |
| Rep |
It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.
Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean...
The JQuery version used by the H5P library contained a prototype pollution risk, which has now been updated to a patched version.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.3 |
| Versions fixed: | 3.8.4 and 3.9 |
| Reported by: | weblendweb |
| CVE identifier: | CVE-2019-11358 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search |
The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6 |
| Versions fixed: | 3.9.1, 3.8.4 and 3.7.7 |
| Reported by: | Spyridon Chatzimichail |
| CVE identifier: | CVE-2020-14320 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a |
Teachers of a course were able to assign themselves the manager role within that course.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions |
| Versions fixed: | 3.9.1, 3.8.4, 3.7.7 and 3.5.13 |
| Reported by: | Kien Hoang |
| CVE identifier: | CVE-2020-14321 |
| Changes (master): | http: |
yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions |
| Versions fixed: | 3.9.1, 3.8.4, 3.7.7 and 3.5.13 |
| Reported by: | Yuri Zwaig |
| CVE identifier: | CVE-2020-14322 |
| Chang |
MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL has been updated to reference a newer version, which has the vulnerability patched.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, 3.7.6, 3.6.10 |
It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, |
Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions |
| Versions fixed: | 3.8.2, 3.7.5, 3.6.9 and 3.5.11 |
| R |
X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...
Insufficient input escaping was applied to the PHP unit webrunner admin tool.
NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have...