It was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page.
Note: By default this functionality is only available to trusted users (such as teachers), but has been included as a security issue as a precaution, since it was not sanitized on sites with forceclean...
The JQuery version used by the H5P library contained a prototype pollution risk, which has now been updated to a patched version.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.3 |
| Versions fixed: | 3.8.4 and 3.9 |
| Reported by: | weblendweb |
| CVE identifier: | CVE-2019-11358 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search |
The filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3 and 3.7 to 3.7.6 |
| Versions fixed: | 3.9.1, 3.8.4 and 3.7.7 |
| Reported by: | Spyridon Chatzimichail |
| CVE identifier: | CVE-2020-14320 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a |
Teachers of a course were able to assign themselves the manager role within that course.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions |
| Versions fixed: | 3.9.1, 3.8.4, 3.7.7 and 3.5.13 |
| Reported by: | Kien Hoang |
| CVE identifier: | CVE-2020-14321 |
| Changes (master): | http: |
yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
| Severity/Risk: | Serious |
| Versions affected: | 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions |
| Versions fixed: | 3.9.1, 3.8.4, 3.7.7 and 3.5.13 |
| Reported by: | Yuri Zwaig |
| CVE identifier: | CVE-2020-14322 |
| Chang |
MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL has been updated to reference a newer version, which has the vulnerability patched.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, 3.7.6, 3.6.10 |
It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remote code execution.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier unsupported versions |
| Versions fixed: | 3.8.3, |
Users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own groups.
| Severity/Risk: | Minor |
| Versions affected: | 3.8 to 3.8.1, 3.7 to 3.7.4, 3.6 to 3.6.8, 3.5 to 3.5.10 and earlier unsupported versions |
| Versions fixed: | 3.8.2, 3.7.5, 3.6.9 and 3.5.11 |
| R |
X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
PATCH NOTE: For user IPs to be checked (and logged) accurately after this patch is applied, sites using multiple levels of reverse proxies/balancers that append to the X-Forwarded-For header will need to configure the new "...
Insufficient input escaping was applied to the PHP unit webrunner admin tool.
NOTE: It is important to note that this update is only flagged as a precautionary measure, as it may provide limited CLI access to Moodle site admins. This may be considered a security risk in circumstances where admins do not ordinarily have...
Messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored XSS.
| Severity/Risk: | Serious |
| Versions affected: | 3.8 |
| Versions fixed: | 3.8.1 |
| Reported by: | Cid da Costa |
| Workaround: | Disable the messaging system until the patch has been applied. |
| CVE identifier: | CVE-2020-1691 |
| Changes (master): | http://g |
When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable).
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yusuf Yilmaz, Mick Cassell |
| CVE identifier: | CVE-2019-148 |
OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | CeDiS Team |
User emails required additional sanitizing to prevent blind XSS risk on some pages.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 |
| Versions fixed: | 3.7.3 |
| Reported by: | Yuri Zwaig |
| CVE identifier: | CVE-2019-14881 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762 |
| Tracker |
An open redirect existed in the Lesson edit page.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2019-14882 |
| Changes (master): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HE |
Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.2 and 3.6 to 3.6.6 |
| Versions fixed: | 3.7.3 and 3.6.7 |
| Reported by: | Juan Leyva |
| C |
Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions |
| Versions fixed: | 3.7.3, 3.6.7 and 3.5.9 |
| Reported by: | Yuriy Dyachenko |
| CVE identifier: | CVE-2019-14884 |
| Changes (master): | http://git |
Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates.
| Severity/Risk: | Serious |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions |
Users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.
| Severity/Risk: | Minor |
| Versions affected: | 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions |
| Versions fixed: | 3.7.2, 3.6.6 and 3.5.8 |
| Rep |