Security Announcements
MSA-15-0046: Choice module closing date can be bypassed
Marina Glancy
Monday, 16 November 2015, 12:31 PM
Description: | Users can mock URL to delete or submit new responses after the choice module was closed |
Issue summary: | Users can delete and submit new responses even when the choice is closed |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Juan Leyva |
Issue no.: | MDL-51569 |
CVE identifier: | CVE-2015-5342 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569 |
Permalink
MSA-15-0045: SCORM module allows to bypass access restrictions based on date
Marina Glancy
Monday, 16 November 2015, 12:28 PM
Description: | Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction |
Issue summary: | Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Juan Leyva |
Issue no.: | MDL-50837 |
CVE identifier: | CVE-2015-5341 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837 |
Permalink
MSA-15-0044: Capability to view available badges is not respected
Marina Glancy
Monday, 16 November 2015, 12:27 PM
Description: | Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges |
Issue summary: | Capability moodle/badges:viewbadges is not respected |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Marina Glancy |
Issue no.: | MDL-51684 |
CVE identifier: | CVE-2015-5340 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684 |
Permalink
MSA-15-0043: Web service core_enrol_get_enrolled_users does not respect course group mode
Marina Glancy
Monday, 16 November 2015, 12:25 PM
Description: | Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site |
Issue summary: | core_enrol_get_enrolled_users returns all participants even with separate groups |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Daniel Palou |
Issue no.: | MDL-51861 |
CVE identifier: | CVE-2015-5339 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861 |
Permalink
MSA-15-0042: CSRF in lesson login form
Marina Glancy
Monday, 16 November 2015, 12:22 PM
Description: | Password-protected lesson modules are subject to CSRF vulnerability |
Issue summary: | CSRF in lesson login form |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Ankit Agarwal |
Issue no.: | MDL-48109 |
CVE identifier: | CVE-2015-5338 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109 |
Permalink
MSA-15-0041: XSS in flash video player
Marina Glancy
Monday, 16 November 2015, 12:21 PM
Description: | XSS vulnerability caused by Flowplayer flash video player has been addressed |
Issue summary: | Flowplayer Reflected XSS |
Severity/Risk: | Serious |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Andrew Nicols |
Issue no.: | MDL-48085 |
Workaround: | Use HTML5 version of the player in media filter settings |
CVE identifier: | CVE-2015-5337 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085 |
Permalink
MSA-15-0040: Student XSS in survey
Marina Glancy
Monday, 16 November 2015, 12:20 PM
Description: | Standard survey module is vulnerable to XSS attack by students who fill the survey |
Issue summary: | Student XSS in survey |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Hugh Davenport |
Issue no.: | MDL-49940 |
CVE identifier: | CVE-2015-5336 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940 |
Permalink
MSA-15-0039: CSRF in site registration form
Marina Glancy
Monday, 16 November 2015, 12:18 PM
Description: | Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub |
Issue summary: | It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions |
Versions fixed: | 2.9.3, 2.8.9 and 2.7.11 |
Reported by: | Andrew Davis |
Issue no.: | MDL-51091 |
CVE identifier: | CVE-2015-5335 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091 |
Permalink
MSA-15-0038: DDoS possibility in Atto
Marina Glancy
Monday, 16 November 2015, 12:15 PM
Description: | If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area |
Issue summary: | Guests can exploit atto draft to store content |
Severity/Risk: | Serious |
Versions affected: | 2.9 to 2.9.2 and 2.8 to 2.8.8 |
Versions fixed: | 2.9.3 and 2.8.9 |
Reported by: | Frédéric Massart |
Issue no.: | MDL-51000 |
Workaround: | Disable guest access until the fix is applied |
CVE identifier: | CVE-2015-5332 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000 |
Permalink
MSA-15-0037: Possible to send a message to a user who blocked messages from non contacts
Marina Glancy
Monday, 16 November 2015, 12:14 PM
Description: | Insufficient settings check when messaging another user opens spam possibility |
Issue summary: | Users who are not in contact list still can send messages though it is blocked in preferences |
Severity/Risk: | Minor |
Versions affected: | 2.9 to 2.9.2 |
Versions fixed: | 2.9.3 |
Reported by: | Pavel Sokolov |
Issue no.: | MDL-50426 |
CVE identifier: | CVE-2015-5331 |
Changes (master): | git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426 |
Permalink
Older topics ...