==================================================================== CERT-Renater Note d'Information No. 2015/VULN094 _____________________________________________________________________ DATE : 20/05/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 2.9, 2.8.6, 2.7.8, 2.6.11. ====================================================================== https://moodle.org/mod/forum/discuss.php?d=313681 https://moodle.org/mod/forum/discuss.php?d=313682 https://moodle.org/mod/forum/discuss.php?d=313683 https://moodle.org/mod/forum/discuss.php?d=313684 https://moodle.org/mod/forum/discuss.php?d=313685 https://moodle.org/mod/forum/discuss.php?d=313686 https://moodle.org/mod/forum/discuss.php?d=313687 https://moodle.org/mod/forum/discuss.php?d=313688 ______________________________________________________________________ MSA-15-0018: Quiz manual-grading is an XSS risk, but does not declare that Marina Glancy lundi 18 mai 2015, 08:54 Description: Leaving gradebook feedback is a trusted action and such capabilities in other modules already have XSS mask, 'mod/quiz:grade' was missing this flag. Issue summary: Quiz manual-grading is an XSS risk, but does not declare that Severity/Risk: Minor Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Hugh Davenport Issue no.: MDL-49941 CVE identifier: CVE-2015-3174 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49941 ______________________________________________________________________ MSA-15-0019: Possible phishing when redirecting to external site using referer header Marina Glancy lundi 18 mai 2015, 08:59 Description: Some error messages in Moodle display button to return to previous page. Redirecting to non-local referer should not be allowed as it can potentially be used for phising. Issue summary: get_referer() used with redirect() can be insecure Severity/Risk: Minor Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Dingjie Yang Issue no.: MDL-49179 CVE identifier: CVE-2015-3175 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49179 ______________________________________________________________________ MSA-15-0020: User fullname disclosure through account confirmation link Marina Glancy lundi 18 mai 2015, 09:00 Description: On the sites with enabled self-registration not registered users can retrieve fullname of registered users knowing their usernames Issue summary: User fullname disclosure through account confirmation link Severity/Risk: Serious Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Federico Kirschbaum Issue no.: MDL-50099 Workaround: Even partial patch (removing one line in /login/confirm.php) will also resolve security issue CVE identifier: CVE-2015-3176 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50099 ______________________________________________________________________ MSA-15-0021: Any authenticated user can subscribe to site-wide event monitor rules Marina Glancy lundi 18 mai 2015, 09:01 Description: If the site-wide rules exist in the event monitor tool, any user can subscribe themselves to them and potentially access information they are not supposed to see. Issue summary: Any authenticated user can subscribe to site wide event monitor rules Severity/Risk: Minor Versions affected: 2.8 to 2.8.5 Versions fixed: 2.9 and 2.8.6 Reported by: Adrian Greeve Issue no.: MDL-50039 Workaround: Do not use site-wide rules until your site is upgraded CVE identifier: CVE-2015-3177 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50039 ______________________________________________________________________ MSA-15-0022: Potential XSS risk when returning text entered by student from Web Services Marina Glancy lundi 18 mai 2015, 09:02 Description: If user who is not XSS-trusted attempts to insert the XSS as part of the input text, it will be cleaned when displayed on Moodle website but may be displayed uncleaned in the external application Issue summary: external_format_text() cleans and formats text incorrectly Severity/Risk: Serious Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Eloy Lafuente Issue no.: MDL-49718 CVE identifier: CVE-2015-3178 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49718 ______________________________________________________________________ MSA-15-0023: Suspended user is able to login when confirming email Marina Glancy lundi 18 mai 2015, 09:03 Description: When self-registration is enabled and user's account was suspended after creating account but before actually confirming it, user is still able to login when confirming email but only once. Issue summary: Suspended user is able to login when confirming email Severity/Risk: Minor Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Marina Glancy Issue no.: MDL-50090 CVE identifier: CVE-2015-3179 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50090 ______________________________________________________________________ MSA-15-0024: User with suspended enrolment can see sections in the navigation tree Marina Glancy lundi 18 mai 2015, 09:04 Description: If a user is enrolled in the course but his enrollment is suspended, they can not access the course but still were able to see course structure in the navigation block Issue summary: User with suspended enrolment can see sections in the navigation tree Severity/Risk: Minor Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Alex Mitin Issue no.: MDL-49788 CVE identifier: CVE-2015-3180 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49788 ______________________________________________________________________ MSA-15-0025: Capability to manage own files is not respected in Web Services Marina Glancy lundi 18 mai 2015, 09:05 Description: Users with the revoked capability 'moodle/user:manageownfiles' are still able to upload private files using deprecated function in Web Services Issue summary: Users with the manageownfiles disabled are able to upload private files via Web Services Severity/Risk: Minor Versions affected: 2.8 to 2.8.5, 2.7 to 2.7.7, 2.6 to 2.6.10 and earlier unsupported versions Versions fixed: 2.9, 2.8.6, 2.7.8 and 2.6.11 Reported by: Juan Leyva Issue no.: MDL-49994 CVE identifier: CVE-2015-3181 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49994 ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================