MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

by Michael Hawkins.  

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions
Register to read more...

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Rep
Register to read more...

MSA-19-0020: Python Machine Learning dependency versions bumped

by Michael Hawkins.  

The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier
Register to read more...

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

by Michael Hawkins.  

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:Andrew Nicols
CVE identifier:CVE-2
Register to read more...

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins.  

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


...
Severity/Risk:Serious
Versions
Register to read more...

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins.  

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:John Couzins
Workaround:Set a different
Register to read more...

MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files

by Michael Hawkins.  

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Callum Carney
CVE identifier:CVE-2019-10186
Changes (master):http://git.moodle.org/gw?p=mo
Register to read more...

MSA-19-0014: Ability to delete glossary entries that belong to another glossary

by Michael Hawkins.  

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Peter Dias
CVE identifier:CVE-2019
Register to read more...

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

by Michael Hawkins.  

Teachers in a quiz group could modify group overrides for other groups in the same quiz.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Charl Nel
CVE identifier:CVE-2019-10188
Changes (master):http://git.moodle.org/gw?p=mood
Register to read more...

MSA-19-0016: Assignment group overrides did not observe separate groups mode

by Michael Hawkins.  

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:David Monllaó
CVE identifier:CVE-2019-10189
Changes (master):http://git.moo
Register to read more...

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

by Michael Hawkins.  

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Dan Marsden
CVE identifier:CVE-2018-1705
Register to read more...

MSA-19-0010: All messaging conversations could be viewed

by Michael Hawkins.  

A web service fetching messages was not restricted to the current user's conversations.


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.3
Versions fixed:3.7, 3.6.4
Reported by:Mazen Gamal
Workaround:Disable the messaging system until the fix is applied.
CVE identifier:CVE-2019-10132
Changes (master):http://git.moodle.org/gw?p=
Register to read more...

MSA-19-0011: Open redirect in upload cohorts page

by Michael Hawkins.  

The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed:3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:Lindon Wass
CVE identifier:CVE-2019-10133
Register to read more...

MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions

by Michael Hawkins.  

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed:3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:Guillermo Leon
Register to read more...

MSA-19-0004: Log in as functionality exposed to JavaScript risk on other users' Dashboards

by Michael Hawkins.  

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this...

Register to read more...

MSA-19-0005: Logged in users could view all calendar events

by Michael Hawkins.  

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4 and
Register to read more...

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

by Michael Hawkins.  

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed:3.6.3, 3.5.5 and 3.4.8
Reported by:Brendan Cox
CVE
Register to read more...

MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly

by Michael Hawkins.  

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to
Register to read more...

MSA-19-0008: Secure layout contained an insecure link in Boost theme

by Michael Hawkins.  

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed:3.6.3 and 3.5.5
Reported by:Martin von Löwis and Luca Bösch
CVE identifier:CVE-2019-3851
Changes (master):http://git.moodle.
Register to read more...

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

by Michael Hawkins.  

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2
Versions fixed:3.6.3
Reported by:Andrew Nicols
CVE identifier:CVE-2019-3852
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&
Register to read more...

More Articles...