by Marina Glancy.
Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Andreas Grabs |
| CVE identifier: | CVE-2017-264 |
by Marina Glancy.
Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 |
| Versions fixed: | 3.3.1 |
| Reported by: | Charles Fulton |
| CVE identifier: | CVE-2017-7531 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
by Marina Glancy.
Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Thomas Jaisson |
| CVE |
by Marina Glancy.
Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major...
由“Marina Glancy”.
User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, |
由“Marina Glancy”.
Capability to search blogs was not checked properly resulting in users being able to search blogs without permission
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, 3.0.10 and 2.7.20 |
| Reported by: | Daniel Kosinski |
| CVE |
由“Marina Glancy”.
The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to |
由“Marina Glancy”.
Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2 and 3.1 to 3.1.5 |
| Versions fixed: | 3.2.3 and 3.1.6 |
| Reported by: | Juan Leyva |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h= |
by Marina Glancy.
| Description: | PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services. |
| Issue summary: | Remote Code Execution @ 3.2.1 |
| Severity/Risk: | Serious |
| Versions affected: | 3.2 to 3.2.1, |
by Marina Glancy.
| Description: | Global search does not respect "Force login for profiles" setting and displays user names to guests when it should not (User profiles were still not displayed) |
| Issue summary: | Global search display user names, for unauthenticated user search |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.1 |
| Versions fixed: | 3.2.2 |
| Reporte |
by Marina Glancy.
| Description: | Registered user could submit evidence of prior learning that includes XSS that will be executed for another user who tried to edit the same evidence |
| Issue summary: | XSS in evidence of prior learning |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.1 and 3.1 to 3.1.4 |
| Versions fixed: | 3.2.2 and 3.1.5 |
| Reported by: | Jaymark |
by Marina Glancy.
| Description: | Serving files attached to evidence of prior learning did not force download. When viewed by other users they would be opened in current moodle sessions |
| Issue summary: | XSS in attachments to evidence of prior learning |
| Severity/Risk: | Serious |
| Versions affected: | 3.2 to 3.2.1 and 3.1 to 3.1.4 |
| Versions fixed: | 3.2.2 and 3.1.5 |
| Rep |
by Marina Glancy.
| Description: | It is possible to read a system file by trying to include it in boost theme preset. This can only be exploited by moodle admins and only potentially dangerous in developer debugging mode. |
| Issue summary: | System file inclusion when adding own preset file (Boost theme) |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 |
| Versions |
by Marina Glancy.
| Description: | Forum post author can change too many fields when editing the post |
| Issue summary: | Incorrect sanitation of attributes |
| Severity/Risk: | Minor |
| Versions affected: | 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions |
| Versions fixed: | 3.2.1, 3.1.4, 3.0.8 and 2.7.18 |
| Reported |
by Marina Glancy.
| Description: | Forum post author can change too many fields when editing the post |
| Issue summary: | Incorrect sanitation of attributes |
| Severity/Risk: | Minor |
| Versions affected: | 3.2, 3.1 to 3.1.3, 3.0 to 3.0.7, 2.9 to 2.9.9, 2.8 to 2.8.12, 2.7 to 2.7.17 and earlier unsupported versions |
| Versions fixed: | 3.2.1, 3.1.4, 3.0.8 and 2.7.18 |
| Reported |
by Marina Glancy.
| Description: | Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty. |
| Issue |
by Marina Glancy.
| Description: | HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it |
| Issue summary: | XSS in assignment submission page |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 and 3.1 to 3.1.3 |
| Versions fixed: | 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 |
by Marina Glancy.
| Description: | User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access |
| Issue summary: | Question engine allows access to files that I should not be able to view |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to |
by Marina Glancy.
| Description: | Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app |
| Issue |
by Marina Glancy.
| Description: | Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course |
| Issue summary: | Notes has_capability check not called for correct context |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to |