[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] moodle security release
From: Marina Glancy <marina () moodle ! com>
Date: 2016-03-21 6:32:15
Message-ID: CAB_jSYwVGQrFsH6syD=az8-4Moazj5de0xvRrYnAiRuhaG=Tgw () mail ! gmail ! com
[Download RAW message or body]
The following security notifications have now been made public. Thanks
to OSS members for their cooperation.
Marina Glancy
Development Process Manager
e: marina@moodle.com
p: +61 8 9467 4167 w: moodle.com
==============================================================================
MSA-16-0003: Incorrect capability check when displaying users emails in
Participants list
Description: Teachers who otherwise were not supposed to see students'
emails could see them in the participants list
Issue summary: Incorrect capability check when displaying users emails in
Participants list
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Matt Jenner
Issue no.: MDL-52433
CVE identifier: CVE-2016-2151
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433
==============================================================================
MSA-16-0004: XSS from profile fields from external db
Description: Moodle traditionally trusted content from external DB
however it was decided that external datasources may not be
aware of web security practices and data could cause
problems after importing to Moodle
Issue summary: XSS from profile fields from external db
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Jay Knight
Issue no.: MDL-50705
CVE identifier: CVE-2016-2152
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705
==============================================================================
MSA-16-0005: Reflected XSS in mod_data advanced search
Description: User with higher permissions could be tricked into clicking
a link which would result in XSS attack
Issue summary: Reflected XSS in mod_data advanced search
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Ian Song
Issue no.: MDL-52727
Workaround: Educate staff to always use only modern browsers that block
such attacks by default
CVE identifier: CVE-2016-2153
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727
==============================================================================
MSA-16-0006: Hidden courses are shown to students in Event Monitor
Description: Users without capability to view hidden courses but with
capability to subscribe to Event Monitor rules could see
the names of hidden courses
Issue summary: Hidden courses are shown to students in Event Monitor
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed: 3.0.3, 2.9.5 and 2.8.11
Reported by: Roger
Issue no.: MDL-51167
Workaround: Revoke capability to subscribe to Event Monitor rules from
regular users
CVE identifier: CVE-2016-2154
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167
==============================================================================
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single
View
Description: Incorrect capability check in Single View grade report
could result in giving a teacher extra permission
Issue summary: Non-Editing Instructor role can edit exclude checkbox in
Single View
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed: 3.0.3, 2.9.5 and 2.8.11
Reported by: Mark McKay
Issue no.: MDL-52378
CVE identifier: CVE-2016-2155
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378
==============================================================================
MSA-16-0008: External function get_calendar_events return events that pertains
to hidden activities
Description: Users without capability to view hidden acitivites could
still see associated calendar events via web services
Issue summary: External function get_calendar_events return events that
pertains to hidden activities
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Juan Leyva
Issue no.: MDL-52808
CVE identifier: CVE-2016-2156
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808
==============================================================================
MSA-16-0009: CSRF in Assignment plugin management page
Description: CSRF possible on admin page, however exploit unlikely
benefit anybody and can easily be reversed
Issue summary: CSRF in Assignment plugin management page
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Paul Holden
Issue no.: MDL-53031
CVE identifier: CVE-2016-2157
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031
==============================================================================
MSA-16-0010: Enumeration of category details possible without authentication
Description: Despite force login setting guests could still access
course category details
Issue summary: Enumeration of category details possible without
authentication
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Krista Koivisto
Issue no.: MDL-52774
CVE identifier: CVE-2016-2158
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774
==============================================================================
MSA-16-0011: Add no referrer to links with _blank target attribute
Description: Improve security when following external links that were
added with _blank target
Issue summary: Add no referrer to links with _blank target attribute
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Hugh Davenport
Issue no.: MDL-52651
CVE identifier: CVE-2016-2190
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651
==============================================================================
MSA-16-0012: External function mod_assign_save_submission does not check due
dates
Description: Students were able to add assignment submissions after the
due date through web service
Issue summary: External function mod_assign_save_submission does not check
due dates
Severity/Risk: Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
and earlier unsupported versions
Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by: Juan Leyva
Issue no.: MDL-52901
CVE identifier: CVE-2016-2159
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901
==============================================================================
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic