Security announcements

Skip to main content

Security Announcements

Description:	Access to mobile app using the old web service token should be revoked if the user changes the password
Issue summary:	Users tokens should be invalidated when the user password is changed (or forced to)
Severity/Risk:	Minor
Versions affected:	3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and earlier unsupported versions
Versions fixed:	3.1.2, 3.0.6, 2.9.8 and 2.7.16
Reported by:	Juan Leyva
Issue no.:	MDL-49026
CVE identifier:	CVE-2016-7038
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49026

Description:	Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access.
Issue summary:	Event monitor notifications do not check user access to the course/activity (for example after teacher has been unenrolled)
Severity/Risk:	Minor
Versions affected:	3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12
Versions fixed:	3.1.1, 3.0.5 and 2.9.7
Reported by:	Stuart R Mealor
Issue no.:	MDL-53431
CVE identifier:	CVE-2016-5014
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53431

Description:	By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker.
Issue summary:	User firstname/lastname not sanitized when sending emails
Severity/Risk:	Minor
Versions affected:	3.1, 3.0 to 3.0.4, 2.9 to 2.9.6, 2.8 to 2.8.12, 2.7 to 2.7.14 and earlier unsupported versions
Versions fixed:	3.1.1, 3.0.5, 2.9.7 and 2.7.15
Reported by:	Pierre Guinoiseau
Issue no.:	MDL-55069
Workaround:	Temporary prohibit users from editing their first and last names until the fix is applied
CVE identifier:	CVE-2016-5013
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55069

Description:	When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access
Issue summary:	Possible to see glossary entries in courses you are not enrolled in
Severity/Risk:	Minor
Versions affected:	3.1
Versions fixed:	3.1.1
Reported by:	Mary Cooch
Issue no.:	MDL-54844
CVE identifier:	CVE-2016-5012
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-54844

Description:	CSRF possible in the URL that marks forum posts as read
Issue summary:	Forum markposts.php missing sesskey check
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Andrew Nicols
Issue no.:	MDL-53755
CVE identifier:	CVE-2016-3734
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53755

Description:	During the course restore teacher could overwrite idnumber even without having the capability to change it
Issue summary:	Course idnumber not protected from teacher restore
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Donna Hrynkiw
Issue no.:	MDL-51369
CVE identifier:	CVE-2016-3733
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51369

Description:	Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed
Issue summary:	Badges code checks viewotherbadges capability in the wrong context
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6 and 2.8.12
Reported by:	Tim Hunt
Issue no.:	MDL-53589
CVE identifier:	CVE-2016-3732
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53589

Description:	Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page
Issue summary:	Information disclosure of hidden forum names and sub-names.
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11
Versions fixed:	3.0.4, 2.9.6 and 2.8.12
Reported by:	Callum Carney
Issue no.:	MDL-53696
CVE identifier:	CVE-2016-3731
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53696

This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Description:	User editing form only disabled the profile fields in UI and did not actually prevent users from editing them
Issue summary:	Tricky users can change locked profile fields
Severity/Risk:	Minor
Versions affected:	3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions
Versions fixed:	3.0.4, 2.9.6, 2.8.12 and 2.7.14
Reported by:	Vadim Dvorovenko
Issue no.:	MDL-53954
CVE identifier:	CVE-2016-3729
Changes (master):	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53954

Older topics ...