When creating a user account, it was possible to verify the account without having access to the verification email link/secret.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Bandjes |
| CVE |
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, |
The JQuery version used by Moodle required upgrading to 3.5.1 to patch some published potential vulnerabilities.
| Severity/Risk: | Minor |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Mike Henry |
| CVE identifiers: | C |
The ID number user profile field required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Magyar-Hunor Tamas |
| Workaround: | Disable the ID |
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 to 3.10.1, 3.9 to 3.9.4, 3.8 to 3.8.7, 3.5 to 3.5.16 and earlier unsupported versions |
| Versions fixed: | 3.10.2, 3.9.5, 3.8.8 and 3.5.17 |
| Reported by: | Holme and Rekter0 |
| CVE identifier: | CVE |
Some search inputs were vulnerable to reflected XSS due to insufficient escaping of search queries.
| Severity/Risk: | Serious |
| Versions affected: | 3.10 |
| Versions fixed: | 3.10.1 |
| Reported by: | kstpt |
| CVE identifier: | CVE-2021-20183 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-70571 |
| Tracker |
Insufficient capability checks in some grade related web services meant students were able to view other students' grades.
| Severity/Risk: | Minor |
| Versions affected: | 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6 |
| Versions fixed: | 3.10.1, 3.9.4 and 3.8.7 |
| Reported by: | Juan Segarra Montesinos |
| CVE identifier: | CVE-2021-20184 |
| Changes (master): | http://git.moo |
Messaging did not impose a character limit when sending messages, which could result in client-side (browser) denial of service for users receiving very large messages.
| Severity/Risk: | Minor |
| Versions affected: | 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions |
| Versions fixed: | 3.10.1, 3.9.4, 3.8.7 |
If the TeX notation filter was enabled, additional sanitizing of TeX content was required to prevent the risk of stored XSS.
| Severity/Risk: | Serious |
| Versions affected: | 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions |
| Versions fixed: | 3.10.1, 3.9.4, 3.8.7 and 3.5.16 |
| Reported by: | Ata Hakcil |
| Workaround: | Di |
It was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication.
| Severity/Risk: | Serious |
| Versions affected: | 3.10, 3.9 to 3.9.3, 3.8 to 3.8.6, 3.5 to 3.5.15 and earlier unsupported versions |
| Versions fixed: | 3.10.1, 3.9.4, 3.8.7 and 3.5.16 |
| Reported by: | Frédéric Massart |
| Wo |
Users' enrolment capabilities were not being sufficiently checked when they restored into an existing course, which could lead to them unenrolling users without having permission to do so.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions |
Insufficient capability checks could lead to users with the ability to course restore adding additional capabilities to roles within that course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Rep |
Some database module web services allowed students to add entries within groups they did not belong to.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions |
| Versions fixed: | 3.10, 3.9.3, 3.8.6, 3.7.9 and 3.5.15 |
| Reported by: | Dani Palou |
| CVE identifier: | CVE-2020 |
If the upload course tool was used to delete an enrolment method which did not exist or was not already enabled, the tool would erroneously enable that enrolment method. This could lead to unintended users gaining access to the course.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8 and 3.5 to |
It was possible to include JavaScript when re-naming content bank items.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2 |
| Versions fixed: | 3.10, 3.9.3 |
| Reported by: | DegrangeM |
| CVE identifier: | CVE-2020-25702 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69046 |
| Tracker issue: | MDL-6 |
The participants table download always included user emails, but should have only done so when users' emails are not hidden.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8 |
| Versions fixed: | 3.10, 3.9.3, 3.8.6 and 3.7.9 |
| Reported by: | A. Schenkel |
| CVE identifier: | CVE-2020-25703 |
| Changes (master): | http://g |
The moodlenetprofile user profile field required extra sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1 |
| Versions fixed: | 3.9.2 |
| Reported by: | Kien Hoang |
| CVE identifier: | CVE-2020-25627 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-692 |
The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, 3.8.5, 3.7.8 and 3.5.14 |
| Reported by: | Luuk Verhoeven |
| CVE identifier: | CVE-2020-25628 |
| Chang |
Users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager.
| Severity/Risk: | Minor |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, |
The decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions |
| Versions fixed: | 3.9.2, 3.8.5, 3.7.8 and 3.5.14 |
| Rep |