Security Announcements
MSA-15-0046: Choice module closing date can be bypassed
Marina Glancy
Monday, 16 November 2015, 12:31 PM
| Description: | Users can mock URL to delete or submit new responses after the choice module was closed |
| Issue summary: | Users can delete and submit new responses even when the choice is closed |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Juan Leyva |
| Issue no.: | MDL-51569 |
| CVE identifier: | CVE-2015-5342 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569 |
Permalink
MSA-15-0045: SCORM module allows to bypass access restrictions based on date
Marina Glancy
Monday, 16 November 2015, 12:28 PM
| Description: | Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction |
| Issue summary: | Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Juan Leyva |
| Issue no.: | MDL-50837 |
| CVE identifier: | CVE-2015-5341 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837 |
Permalink
MSA-15-0044: Capability to view available badges is not respected
Marina Glancy
Monday, 16 November 2015, 12:27 PM
| Description: | Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges |
| Issue summary: | Capability moodle/badges:viewbadges is not respected |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Marina Glancy |
| Issue no.: | MDL-51684 |
| CVE identifier: | CVE-2015-5340 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684 |
Permalink
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode
Marina Glancy
Monday, 16 November 2015, 12:25 PM
| Description: | Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site |
| Issue summary: | core_enrol_get_enrolled_users returns all participants even with separate groups |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Daniel Palou |
| Issue no.: | MDL-51861 |
| CVE identifier: | CVE-2015-5339 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861 |
Permalink
MSA-15-0042: CSRF in lesson login form
Marina Glancy
Monday, 16 November 2015, 12:22 PM
| Description: | Password-protected lesson modules are subject to CSRF vulnerability |
| Issue summary: | CSRF in lesson login form |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Ankit Agarwal |
| Issue no.: | MDL-48109 |
| CVE identifier: | CVE-2015-5338 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109 |
Permalink
MSA-15-0041: XSS in flash video player
Marina Glancy
Monday, 16 November 2015, 12:21 PM
| Description: | XSS vulnerability caused by Flowplayer flash video player has been addressed |
| Issue summary: | Flowplayer Reflected XSS |
| Severity/Risk: | Serious |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Andrew Nicols |
| Issue no.: | MDL-48085 |
| Workaround: | Use HTML5 version of the player in media filter settings |
| CVE identifier: | CVE-2015-5337 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085 |
Permalink
MSA-15-0040: Student XSS in survey
Marina Glancy
Monday, 16 November 2015, 12:20 PM
| Description: | Standard survey module is vulnerable to XSS attack by students who fill the survey |
| Issue summary: | Student XSS in survey |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Hugh Davenport |
| Issue no.: | MDL-49940 |
| CVE identifier: | CVE-2015-5336 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940 |
Permalink
MSA-15-0039: CSRF in site registration form
Marina Glancy
Monday, 16 November 2015, 12:18 PM
| Description: | Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub |
| Issue summary: | It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
| Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
| Reported by: | Andrew Davis |
| Issue no.: | MDL-51091 |
| CVE identifier: | CVE-2015-5335 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091 |
Permalink
MSA-15-0038: DDoS possibility in Atto
Marina Glancy
Monday, 16 November 2015, 12:15 PM
| Description: | If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area |
| Issue summary: | Guests can exploit atto draft to store content |
| Severity/Risk: | Serious |
| Versions affected: | 2.9 to 2.9.2 and 2.8 to 2.8.8 |
| Versions fixed: | 2.9.3 and 2.8.9 |
| Reported by: | Frédéric Massart |
| Issue no.: | MDL-51000 |
| Workaround: | Disable guest access until the fix is applied |
| CVE identifier: | CVE-2015-5332 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000 |
Permalink
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts
Marina Glancy
Monday, 16 November 2015, 12:14 PM
| Description: | Insufficient settings check when messaging another user opens spam possibility |
| Issue summary: | Users who are not in contact list still can send messages though it is blocked in preferences |
| Severity/Risk: | Minor |
| Versions affected: | 2.9 to 2.9.2 |
| Versions fixed: | 2.9.3 |
| Reported by: | Pavel Sokolov |
| Issue no.: | MDL-50426 |
| CVE identifier: | CVE-2015-5331 |
| Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426 |
Permalink
Older topics ...