Educación a distancia Somos Expertos en servicios Moodle

  • Inicio
  • Moodle
    • Productos
    • Servicios
    • Sobre Moodle
    • Sobre Moodle Chile
  • Blog
    • Noticias
      • Seguridad Moodle
      • Planeta Moodle
      • Moodle.org Directo
      • Moodle Buzz
      • Moodle Foro
      • Google News
      • Todas las Noticias
    • Artículos
  • Cotizar

MSA-19-0020: Python Machine Learning dependency versions bumped

Detalles
Publicado el 16 Septiembre 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The analytics Python Machine Learning backend has received some security fixes, resulting in the required PIP package version being increased. (Note: Sites using the PHP ML backend, or not using analytics are not affected)


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and earlier
Leer más...

MSA-19-0021: Activity :addinstance capabilities were not respected when creating a course in single activity format

Detalles
Publicado el 16 Septiembre 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Activity creation capabilities were not correctly respected when selecting the activity to use for a course in single activity mode.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:Andrew Nicols
CVE identifier:CVE-2
Leer más...

MSA-19-0022: Open redirect in the mobile launch endpoint could be used to expose mobile access tokens

Detalles
Publicado el 16 Septiembre 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").


...
Severity/Risk:Serious
Versions
Leer más...

MSA-19-0023: Forum subscribe link contained an open redirect if forced subscription mode was enabled

Detalles
Publicado el 16 Septiembre 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

If a forum's subscription mode was set to "forced subscription", the forum's subscribe link contained an open redirect.


...
Severity/Risk:Minor
Versions affected:3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions
Versions fixed:3.7.2, 3.6.6 and 3.5.8
Reported by:John Couzins
Workaround:Set a different
Leer más...

MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files

Detalles
Publicado el 15 Julio 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Callum Carney
CVE identifier:CVE-2019-10186
Changes (master):http://git.moodle.org/gw?p=mo
Leer más...

MSA-19-0014: Ability to delete glossary entries that belong to another glossary

Detalles
Publicado el 15 Julio 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Peter Dias
CVE identifier:CVE-2019
Leer más...

MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups

Detalles
Publicado el 15 Julio 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Teachers in a quiz group could modify group overrides for other groups in the same quiz.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Charl Nel
CVE identifier:CVE-2019-10188
Changes (master):http://git.moodle.org/gw?p=mood
Leer más...

MSA-19-0016: Assignment group overrides did not observe separate groups mode

Detalles
Publicado el 15 Julio 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Teachers in an assignment group could modify group overrides for other groups in the same assignment.


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:David Monllaó
CVE identifier:CVE-2019-10189
Changes (master):http://git.moo
Leer más...

MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream)

Detalles
Publicado el 15 Julio 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details).


...
Severity/Risk:Minor
Versions affected:3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions
Versions fixed:3.7.1, 3.6.5 and 3.5.7
Reported by:Dan Marsden
CVE identifier:CVE-2018-1705
Leer más...

MSA-19-0010: All messaging conversations could be viewed

Detalles
Publicado el 20 Mayo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

A web service fetching messages was not restricted to the current user's conversations.


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.3
Versions fixed:3.7, 3.6.4
Reported by:Mazen Gamal
Workaround:Disable the messaging system until the fix is applied.
CVE identifier:CVE-2019-10132
Changes (master):http://git.moodle.org/gw?p=
Leer más...

MSA-19-0011: Open redirect in upload cohorts page

Detalles
Publicado el 20 Mayo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed:3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:Lindon Wass
CVE identifier:CVE-2019-10133
Leer más...

MSA-19-0012: Private files uploaded via incoming mail processing could bypass quota restrictions

Detalles
Publicado el 20 Mayo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The size of users' private file uploads via email were not correctly checked, so their quota allowance could be exceeded.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to 3.1.17 and earlier unsupported versions
Versions fixed:3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:Guillermo Leon
Leer más...

MSA-19-0004: Log in as functionality exposed to JavaScript risk on other users' Dashboards

Detalles
Publicado el 19 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this...

Leer más...

MSA-19-0005: Logged in users could view all calendar events

Detalles
Publicado el 19 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Permissions were not correctly checked before loading event information into the calendar's edit event modal popup, so logged in non-guest users could view unauthorised calendar events. (Note: It was read-only access, users could not edit the events.)


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4 and
Leer más...

MSA-19-0006: Users could elevate their role when accessing the LTI tool on a provider site

Detalles
Publicado el 19 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Users could assign themselves an escalated role within courses or content accessed via LTI, by modifying the request to the LTI publisher site.


...
Severity/Risk:Serious
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier unsupported versions
Versions fixed:3.6.3, 3.5.5 and 3.4.8
Reported by:Brendan Cox
CVE
Leer más...

MSA-19-0007: Stored HTML in assignment submission comments allowed links to be opened directly

Detalles
Publicado el 19 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same window and without the no-referrer header policy made them more susceptible to exploits.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to
Leer más...

MSA-19-0008: Secure layout contained an insecure link in Boost theme

Detalles
Publicado el 19 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

There was a link to site home within the the Boost theme's secure layout, meaning students could navigate out of the page.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed:3.6.3 and 3.5.5
Reported by:Martin von Löwis and Luca Bösch
CVE identifier:CVE-2019-3851
Changes (master):http://git.moodle.
Leer más...

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware of context freezing

Detalles
Publicado el 18 Marzo 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

get_with_capability_join and get_users_by_capability were not taking context freezing into account when checking user capabilities


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.2
Versions fixed:3.6.3
Reported by:Andrew Nicols
CVE identifier:CVE-2019-3852
Changes (master):http://git.moodle.org/gw?p=moodle.git&a=search&
Leer más...

MSA-19-0001: Manage groups capability is missing XSS risk flag

Detalles
Publicado el 21 Enero 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.


...
Severity/Risk:Minor
Versions affected:3.6 to 3.6.1, 3.5 to 3.5.3, 3.4 to 3.4.6,
Leer más...

MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php

Detalles
Publicado el 21 Enero 2019
Categoría: Seguridad
  • Imprimir
  • Correo electrónico
by Michael Hawkins.  

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.


...
Severity/Risk:Minor
Versions affected:3.1 to 3.1.15 and earlier unsupported versions
Versions fixed:3.1.16
Reported
Leer más...

Más artículos...

  1. MSA-19-0003: User full name is not escaped in the un-linked userpix page
  2. MSA-18-0020: Login CSRF vulnerability in login form
  3. MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution
  4. MSA-18-0018: QuickForm library remote code vulnerability (upstream)
  5. MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered
  6. MSA-18-0014: Privacy data exports include log data
  7. MSA-18-0015: Web service core_course_get_categories may return invisible categories
  8. MSA-18-0016: Quiz question bank import preview could execute JavaScript
  9. MSA-18-0007: Calculated question type allows remote code execution by Question authors
  10. MSA-18-0008: Users can download any file via portfolio assignment caller class
  11. MSA-18-0009: Portfolio forum caller class allows a user to download any file
  12. MSA-18-0010: User can shift a block from Dashboard to any page
  13. MSA-18-0011: User who did not agree to the site policies can see the site homepage as if they had full site access
  14. MSA-18-0012: Portfolio script allows instantiation of class chosen by user
  15. MSA-18-0005: Unauthenticated users can trigger custom messages to admin via paypal enrol script
  16. MSA-18-0006: Suspended users with OAuth 2 authentication method can still log in to the site
  17. MSA-18-0001: Server Side Request Forgery in the filepicker
  18. MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames
  19. MSA-18-0003: Privilege escalation in quiz web services
  20. MSA-18-0004: XSS in calendar event name

Página 5 de 58

  • Inicio
  • Anterior
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • Siguiente
  • Final
  • Home
  • Blog
  • Noticias
  • Todas las Noticias

Moodle-Chile.cl is not affiliated with or endorsed by the Moodle Project.

Powered by TILATAM S.A.