The /userpix/ page did not escape users' full names, which are included as text when hovering over profile images. Note this page is not linked to by default and its access is restricted.
| Severity/Risk: | Minor |
| Versions affected: | 3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6, 3.1 to 3.1.15 and earlier unsupported versions |
| Versions |
The login form is not protected by a token to prevent login cross-site request forgery.
| Severity/Risk: | Serious |
| Versions affected: | 3.5 to 3.5.2, 3.4 to 3.4.5, 3.3 to 3.3.8, 3.1 to 3.1.14 and earlier unsupported versions |
| Versions fixed: | 3.6, 3.5.3, 3.4.6, 3.3.9 and 3.1.15 |
| Reported by: | Daniel Thatcher |
| CVE identifier: | CVE-2018-16854 |
| Chan |
When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.
| Severity/Risk: | Serious |
| Versions affected: | 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and |
A security vulnerability was reported against QuickForm, a third party library used by Moodle. Although no attack vector was identified within our software, Moodle has updated to patched versions of QuickForm as a precaution.
| Severity/Risk: | Minor |
| Versions affected: | 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7, 3.1 to 3.1.13 and |
The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter.
| Severity/Risk: | Minor |
| Versions affected: | 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7 and |
No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester. Note this may be a serious privacy consideration for sites processing data exports.
| Severity/Risk: | Minor |
| Versions affected: | 3.5, 3.4.3, 3.3 to 3.3.6 |
| Versions fixed: | 3.5.1, 3.4.4, 3.3.7 |
| Reported by: |
It was possible for the core_course_get_categories web service to return hidden categories, which should be omitted when fetching course categories. Note this only affects cases where a user has access to manage categories, but does not also have permission to view hidden categories.
| Severity/Risk: | Minor |
| Versions affected: | 3.5 |
When a quiz question bank is imported, it was possible for the question preview that is displayed to execute JavaScript that is written into the question bank.
| Severity/Risk: | Minor |
| Versions affected: | 3.5, 3.4 to 3.4.3, 3.3 to 3.3.6, 3.2 to 3.2.9, 3.1 to 3.1.12 and earlier unsupported versions |
| Versions fixed: | 3.5.1, 3.4.4, |
Teacher creating Calculated question can intentionally cause remote code execution on server
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Robin Peraglie |
| CVE identifier: | CVE-2018-1133 |
| Cha |
Students who submitted assignments and exported it to portfolios can download any stored Moodle file by changing download URL
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Brendan Cox |
| Wor |
Students who posted on forum and exported the post to portfolios can download any stored Moodle file by changing download URL
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Brendan Cox |
| Wor |
Authenticated user are allowed to add HTML blocks containing scripts to their Dashboard and this is normally not a security issue because personal dashboard is visible to this user only. Through this security vulnerability users can move such block to other pages where they can be viewed by other users.
| Severity/Risk: | Serious |
| V |
Site policies agreement is not checked for logged in users who browse front page and activities on it
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and 3.1.12 |
| Reported by: | Marina Glancy |
| Changes (master): | http://g |
Substituting URL in portfolios users can instantiate any class, this can also be exploited by users who are logged in as guests to create a DDoS attack
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.2, 3.3 to 3.3.5, 3.2 to 3.2.8, 3.1 to 3.1.11 and earlier unsupported versions |
| Versions fixed: | 3.5, 3.4.3, 3.3.6, 3.2.9 and |
by Marina Glancy.
Paypal IPN callback script should only send error emails to admin after request origin was verified, otherwise admin email can be spammed
| Severity/Risk: | Serious |
| Versions affected: | 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1 to 3.1.10 and earlier unsupported versions |
| Versions fixed: | 3.4.2, 3.3.5, 3.2.8 and 3.1.11 |
| Reported by: | Brend |
by Marina Glancy.
If a user account using OAuth2 authentication method was once confirmed but later suspended, user could still login to the site
| Severity/Risk: | Minor |
| Versions affected: | 3.4 to 3.4.1, 3.3 to 3.3.4 |
| Versions fixed: | 3.4.2 and 3.3.5 |
| Reported by: | Helen Foster |
| CVE identifier: | CVE-2018-1082 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git |
by Marina Glancy.
By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server
| Severity/Risk: | Serious |
| Versions affected: | 3.4, 3.3 to 3.3.3, 3.2 |
by Marina Glancy.
Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.
| Severity/Risk: | Minor |
| Versions |
by Marina Glancy.
Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app
| Severity/Risk: | Minor |
| Versions affected: | 3.4, 3.3 to 3.3.3, 3.2 to 3.2.6 and 3.1 to 3.1.9 |
| Versions fixed: | 3.4.1, 3.3.4, 3.2.7 and 3.1.10 |
| Reported by: | Chirine Nassar |
| CVE identifier: | CVE-2018-1044 |
| Changes |
by Marina Glancy.
It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.
| Severity/Risk: | Minor |
| Versions affected: | 3.3 to 3.3.3, 3.2 to 3.2.6, 3.1 to |