by Marina Glancy.
| Description: | Security vulnerability was reported against PHPMailer, third party library used by Moodle. As a result Moodle improved validation of no-reply address (that can only be configured by admin), all other fields were already properly sanitized. This issue only affect sites that leave $CFG->smtphosts empty. |
| Issue |
by Marina Glancy.
| Description: | HTML injection with potential XSS attack was possible by modifying URL for assignment submission and tricking another user into following it |
| Issue summary: | XSS in assignment submission page |
| Severity/Risk: | Minor |
| Versions affected: | 3.2 and 3.1 to 3.1.3 |
| Versions fixed: | 3.2.1 and 3.1.4 (also backported to 2.7.18 and 3.0.8 |
by Marina Glancy.
| Description: | User can guess URL of the file embedded in a question that they are not able to access and download it using identificator of a question they can access |
| Issue summary: | Question engine allows access to files that I should not be able to view |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to |
by Marina Glancy.
| Description: | Normally in Moodle web interface non-admin users with capability to edit other users can not edit information about admins, this was not respected in one of the web services. This can only be a security vulnerability if this WS was exposed to some external service; it is not exposed to the mobile app |
| Issue |
by Marina Glancy.
| Description: | Incorrect capability check may have allowed users to view course notes when they had site-wide permission which was revoked inside a course |
| Issue summary: | Notes has_capability check not called for correct context |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.2, 3.0 to 3.0.6, 2.9 to 2.9.8, 2.8 to 2.8.12, 2.7 to |
by Marina Glancy.
| Description: | Hopefully production sites never have debugging mode enabled and this is more of an improvement limiting the information returned in web services error messages. |
| Issue summary: | When debugging is enabled, error exceptions returned from webservices could contain private data. |
| Severity/Risk: | Serious |
| Versions affected: | 3.1 |
by Marina Glancy.
| Description: | User editing form only disabled the profile fields in UI and did not actually prevent users from editing them |
| Issue summary: | Tricky users can change locked profile fields |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions |
| Versions fixed: | 3.0.4 |
by Marina Glancy.
This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.
...
by Marina Glancy.
| Description: | Name of the inaccessible forum or forum discussion could be disclosed as part of the error message on the subscription page |
| Issue summary: | Information disclosure of hidden forum names and sub-names. |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5 and 2.8 to 2.8.11 |
| Versions fixed: | 3.0.4, 2.9.6 and |
by Marina Glancy.
| Description: | Capability check to view other badges was performed for the current user instead for the user whose badges are being viewed |
| Issue summary: | Badges code checks viewotherbadges capability in the wrong context |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier |
by Marina Glancy.
| Description: | During the course restore teacher could overwrite idnumber even without having the capability to change it |
| Issue summary: | Course idnumber not protected from teacher restore |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions |
| Versions fixed: | 3.0 |
by Marina Glancy.
| Description: | CSRF possible in the URL that marks forum posts as read |
| Issue summary: | Forum markposts.php missing sesskey check |
| Severity/Risk: | Minor |
| Versions affected: | 3.0 to 3.0.3, 2.9 to 2.9.5, 2.8 to 2.8.11, 2.7 to 2.7.13 and earlier unsupported versions |
| Versions fixed: | 3.0.4, 2.9.6, 2.8.12 and 2.7.14 |
| Reported by: | Andrew Nicols |
| Issue |
by Marina Glancy.
| Description: | When searching in a glossary entries from other glossaries could be displayed, including the modules and courses that user can not access |
| Issue summary: | Possible to see glossary entries in courses you are not enrolled in |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 |
| Versions fixed: | 3.1.1 |
| Reported by: | Mary Cooch |
| Issue no.: | MDL- |
by Marina Glancy.
| Description: | By changing own name user can inject arbitrary email addresses in the emails that moodle sends to him/her. This can be used to send spam when moodle emails user content such as messages and forum posts. It can only be exploited by registered users and very easy to trace and find the attacker. |
| Issue summary: | User |
by Marina Glancy.
| Description: | Event monitor tool checked access to the course or activity only when subscription was created but did not re-evaluate it when sending notifications. This can result in unenrolled user receiving notifications with information they no longer can access. |
| Issue summary: | Event monitor notifications do not check user |
by Marina Glancy.
| Description: | Access to mobile app using the old web service token should be revoked if the user changes the password |
| Issue summary: | Users tokens should be invalidated when the user password is changed (or forced to) |
| Severity/Risk: | Minor |
| Versions affected: | 3.1 to 3.1.1, 3.0 to 3.0.5, 2.9 to 2.9.7, 2.8 to 2.8.12, 2.7 to 2.7.15 and |
| Description: | Privacy settings for the IMS-LTI (External tool) module were not able to be changed so personal information was always transferred. |
| Issue summary: | Privacy settings do not change |
| Severity/Risk: | Minor |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions |
| Versions fixed: | 2.5.1, |
| Description: | Flash files distributed with the YUI library may have allowed for cross-site scripting attacks. |
| Issue summary: | YUI swf files suffer a XSS vulnerability |
| Severity/Risk: | Serious |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions |
| Versions fixed: | 2.5.1, 2.4.5, 2.3.8 and 2.2.11 |
| Re |
| Description: | Users were able to access a daemon-mode Chat activity without the required capability. |
| Issue summary: | Missing privilege check in mod/chat/gui_sockets/index.php |
| Severity/Risk: | Minor |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, 2.2 to 2.2.10, earlier unsupported versions |
| Versions fixed: | 2.5.1, 2.4.5, 2.3.8 and |
| Description: | It was possible to determine answers from ID values in Lesson activity matching questions. |
| Issue summary: | Matching question in lesson could easily manipulated through view sources |
| Severity/Risk: | Minor |
| Versions affected: | 2.5, 2.4 to 2.4.4, 2.3 to 2.3.7, earlier unsupported versions |
| Versions fixed: | 2.5.1, 2.4.5 and |