by Marina Glancy.
Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions |
| Versions fixed: | 3.4.2, 3.3.5, 3.2.8 and 3.1.11 |
| Reported by: | Brend |
by Marina Glancy.
If a user account using OAuth2 authentication method was once confirmed but later suspended, user could still login to the site
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.1, 3.3 to 3.3.4 |
| Versions fixed: | 3.4.2 and 3.3.5 |
| Reported by: | Helen Foster |
| CVE identifier: | CVE-2018-1082 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git |
by Marina Glancy.
By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server
| Severity/Risk: | Serious |
| Versions affected: | 3.4, 3.3 to 3.3.3, 3.2 |
by Marina Glancy.
Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.
| Severity/Risk: | Minor |
| Versions |
by Marina Glancy.
Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app
| Severity/Risk: | Minor |
| Versions affected: | 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6 and 3.1 to 3.1.9 |
| Versions fixed: | 3.4.1, 3.3.4, 3.2.7 and 3.1.10 |
| Reported by: | Chirine Nassar |
| CVE identifier: | CVE-2018-1044 |
| Changes |
by Marina Glancy.
It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to |
by Marina Glancy.
Using search on Participants page students could search email addresses of all participants regardless of email visibility. This allows to enumerate and guess emails of other students
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.2, 3.2 to 3.2.5, 3.1 to 3.1.8 and earlier unsupported versions |
| Versions fixed: | 3.4, 3.3.3, 3.2.6 |
by Marina Glancy.
Form on the feedback "non-respondents" page does not escape the value of subject thus creating self-XSS. This can be used to attack another user by tricking them into opening malicious URL whilst in an open Moodle session
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported |
by Marina Glancy.
Number of course reports allowed teachers to view details about users in the groups they can't access
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions |
| Versions fixed: | 3.3.2, 3.2.5 and 3.1.8 |
| Reported by: | Juan Leyva |
| CVE identifier: | CVE-2017-12157 |
| Changes (master): | http://git |
by Marina Glancy.
This fix may affect plugins using this API function, there is no exploit in standard Moodle
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions |
| Versions fixed: | 3.3.2, 3.2.5 and 3.1.8 |
| Reported by: | Ankit Agarwal |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=se |
by Marina Glancy.
Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check.
Manual action may be required from the site admin to remove composer-generated...
by Marina Glancy.
Some pages show full names of users as part of the permission error message even for users who do not have capability to view full names
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Andreas Grabs |
| CVE identifier: | CVE-2017-264 |
by Marina Glancy.
Timeline view of the new course overview block can show events for activities that user can not yet access because the course is hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 |
| Versions fixed: | 3.3.1 |
| Reported by: | Charles Fulton |
| CVE identifier: | CVE-2017-7531 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
by Marina Glancy.
Insufficient permission check in "Site administration" tree allows users who have permission to access one page in the tree to change other settings.
| Severity/Risk: | Minor |
| Versions affected: | 3.3, 3.2 to 3.2.3, 3.1 to 3.1.6 and earlier unsupported versions |
| Versions fixed: | 3.3.1, 3.2.4 and 3.1.7 |
| Reported by: | Thomas Jaisson |
| CVE |
by Marina Glancy.
Old CAS servers (3.3.5.1 or 3.4.2.1, both released Jul 21, 2010) do not escape the failure message which could be exploited with the phpCAS client library that is shipped as part of Moodle. Only fix for this issue was picked to phpCAS library in Moodle, the library will be upgraded to the latest version in the next major...
由“Marina Glancy”.
User could edit somebody else's external blog link. The ownership of the blog would be changed to the current user, therefore compromising other people was not possible
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, |
由“Marina Glancy”.
Capability to search blogs was not checked properly resulting in users being able to search blogs without permission
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to 2.7.19 and other unsupported versions |
| Versions fixed: | 3.2.3, 3.1.6, 3.0.10 and 2.7.20 |
| Reported by: | Daniel Kosinski |
| CVE |
由“Marina Glancy”.
The link changing user preference of how many courses to see in their course overview block was not protected against CSRF. This represents a minor security issue since it can't be exploited for anybody's benefit, only to create confusions
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2, 3.1 to 3.1.5, 3.0 to 3.0.9, 2.7 to |
由“Marina Glancy”.
Users without capability to add attachment to forum posts were able to do it via Web Services. This Web Service is used in mobile app.
| Severity/Risk: | Minor |
| Versions affected: | 3.2 to 3.2.2 and 3.1 to 3.1.5 |
| Versions fixed: | 3.2.3 and 3.1.6 |
| Reported by: | Juan Leyva |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h= |
by Marina Glancy.
| Description: | PoC was presented of SQL injection by an ordinary registered user on Moodle 3.2 via web interface. Similar scenario could be used in previous versions of Moodle but only by managers/admins and only via web services. |
| Issue summary: | Remote Code Execution @ 3.2.1 |
| Severity/Risk: | Serious |
| Versions affected: | 3.2 to 3.2.1, |