oss-sec mailing list archives
Moodle security issues are now public
From: Marina Glancy <marina () moodle com>
Date: Mon, 19 Jan 2015 10:09:06 +0800
The following security notifications have now been made public. Thanks
to OSS members for their cooperation.
Sincerely,
Marina Glancy
Development Process Manager
Moodle HQ
==============================================================================
MSA-15-0001: Insufficient access check in LTI module
Description: Absence of capability check in AJAX backend script could
allow any enrolled user to search the list of registered
tools
Issue summary: mod/lti/ajax.php security problems
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47920
CVE identifier: CVE-2015-0211
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47920
==============================================================================
MSA-15-0002: XSS vulnerability in course request pending approval page
Description: Course summary on course request pending approval page was
displayed to the manager unescaped and could be used for
XSS attack
Issue summary: XSS in course request pending approval page (Privilege
Escalation?)
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Skylar Kelty
Issue no.: MDL-48368
Workaround: Grant permission moodle/course:request only to trusted
users
CVE identifier: CVE-2015-0212
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48368
==============================================================================
MSA-15-0003: CSRF possible in Glossary module
Description: Two files in the Glossary module lacked a session key check
potentially allowing cross-site request forgery
Issue summary: Multiple CSRF in mod glossary
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Ankit Agarwal
Issue no.: MDL-48106
CVE identifier: CVE-2015-0213
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48106
==============================================================================
MSA-15-0004: Information leak through messaging functions in web-services
Description: Through web-services it was possible to access
messaging-related functions such as people search even if
messaging is disabled on the site
Issue summary: Messages external functions doesn't check if messaging is
enabled
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Juan Leyva
Issue no.: MDL-48329
Workaround: Disable web services or disable individual message-related
functions
CVE identifier: CVE-2015-0214
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48329
==============================================================================
MSA-15-0005: Insufficient access check in calendar functions in web-services
Description: Through web-services it was possible to get information
about calendar events which user did not have enough
permissions to see
Issue summary: calendar/externallib.php lacks
self::validate_context($context);
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-48017
CVE identifier: CVE-2015-0215
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48017
==============================================================================
MSA-15-0006: Capability to grade Lesson module is missing XSS bitmask
Description: Users with capability to grade in Lesson module were not
reported as users with XSS risk but their feedback was
displayed without cleaning
Issue summary: mod/lesson:grade capability missing RISK_XSS but essay
feedback is displayed with noclean=true
Severity/Risk: Minor
Versions affected: 2.8 to 2.8.1
Versions fixed: 2.8.2
Reported by: Damyon Wiese
Issue no.: MDL-48034
CVE identifier: CVE-2015-0216
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48034
==============================================================================
MSA-15-0007: ReDoS possible in the multimedia filter
Description: Not optimal regular expression in the filter could be
exploited to create extra server load or make particular
page unavailable
Issue summary: ReDOS in the multimedia filter
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Nicolas Martignoni
Issue no.: MDL-48546
Workaround: Disable multimedia filter
CVE identifier: CVE-2015-0217
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48546
==============================================================================
MSA-15-0008: Forced logout through Shibboleth authentication plugin
Description: It was possible to forge a request to logout users even
when not authenticated through Shibboleth
Issue summary: Forced logout via auth/shibboleth/logout.php
Severity/Risk: Serious
Versions affected: 2.8 to 2.8.1, 2.7 to 2.7.3, 2.6 to 2.6.6 and earlier
unsupported versions
Versions fixed: 2.8.2, 2.7.4 and 2.6.7
Reported by: Petr Skoda
Issue no.: MDL-47964
Workaround: Deny access to file auth/shibboleth/logout.php in webserver
configuration
CVE identifier: CVE-2015-0218
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-47964
==============================================================================
Current thread:
- Moodle security issues are now public Marina Glancy (Jan 18)