MSA-19-0024: Assigned Role in Cohort did not un-assign on removal

by Michael Hawkins.  

When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yusuf Yilmaz, Mick Cassell
CVE identifier:CVE-2019-148
Leer más...

MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise

by Michael Hawkins.  

OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:CeDiS Team
Leer más...

MSA-19-0026: Blind XSS reflected in some locations where user email is displayed

by Michael Hawkins.  

User emails required additional sanitizing to prevent blind XSS risk on some pages.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2
Versions fixed:3.7.3
Reported by:Yuri Zwaig
CVE identifier:CVE-2019-14881
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762
Tracker
Leer más...


MSA-19-0028: Email media URL tokens were not checking for user status

by Michael Hawkins.  

Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.2 and 3.6 to 3.6.6
Versions fixed:3.7.3 and 3.6.7
Reported by:Juan Leyva
C
Leer más...

MSA-19-0029: Reflected XSS possible from some fatal error messages

by Michael Hawkins.  

Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions
Versions fixed:3.7.3, 3.6.7 and 3.5.9
Reported by:Yuriy Dyachenko
CVE identifier:CVE-2019-14884
Changes (master):http://git
Leer más...

Re: MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Please note, this issue has been revisited in MDL-66683, as part of the latest minor releases. It appears this was not a bug, and that the original behaviour was the intended functionality. As this change was negatively impacting some course-creation workflows, the functionality has been reverted as of versions 3.7.3,...
Leer más...

MSA-19-0018: JavaScript injection possible in some Mustache templates via recursive rendering from contexts

by Michael Hawkins.  

Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.


...
Severity/Risk:Serious
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions
Leer más...

MSA-19-0019: Course creation did not check the creator's role assignment capability before automatically assigning them as a teacher in the course

by Michael Hawkins.  

Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Rep
Leer más...

MSA-19-0020: Python Machine Learning dependency versions bumped

by Michael Hawkins.  

The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier
Leer más...

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

by Michael Hawkins.  

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:Andrew Nicols
CVE identifier:CVE-2
Leer más...

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

by Michael Hawkins.  

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


...
Severity/Risk:Serious
Versions
Leer más...

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

by Michael Hawkins.  

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:John Couzins
Workaround:Set a different
Leer más...

MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files

by Michael Hawkins.  

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Callum Carney
CVE identifier:CVE-2019-10186
Changes (master):http://git.moodle.org/gw?p=mo
Leer más...

MSA-19-0014: Ability to delete glossary entries that belong to another glossary

by Michael Hawkins.  

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Peter Dias
CVE identifier:CVE-2019
Leer más...

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

by Michael Hawkins.  

Teachers in a quiz group could modify group overrides for other groups in the same quiz.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Charl Nel
CVE identifier:CVE-2019-10188
Changes (master):http://git.moodle.org/gw?p=mood
Leer más...

MSA-19-0016: Assignment group overrides did not observe separate groups mode

by Michael Hawkins.  

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:David Monllaó
CVE identifier:CVE-2019-10189
Changes (master):http://git.moo
Leer más...

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

by Michael Hawkins.  

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Dan Marsden
CVE identifier:CVE-2018-1705
Leer más...


Más artículos...