==================================================================== CERT-Renater Note d'Information No. 2015/VULN203 _____________________________________________________________________ DATE : 24/09/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 2.9.2, 2.8.8, 2.7.10. ====================================================================== https://moodle.org/security/ _____________________________________________________________________ MSA-15-0036: XSS in grouping description lundi 21 septembre 2015, 09:46 Description: Capability to manage groups does not have XSS risk, however it was possible to add XSS to the grouping description Issue summary: XSS in grouping description Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Issue no.: MDL-50709 CVE identifier: CVE-2015-5269 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50709 _____________________________________________________________________ MSA-15-0035: Rating component does not check separate groups lundi 21 septembre 2015, 09:45 Description: When viewing ratings the group access was not properly checked allowing users from other groups to view ratings Issue summary: Rating component does not check separate groups Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Juan Leyva Issue no.: MDL-50173 CVE identifier: CVE-2015-5268 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50173 _____________________________________________________________________ MSA-15-0034: Vulnerability in password recovery mechanism lundi 21 septembre 2015, 09:44 Description: Password recovery token can be guessed because of php randomisation limitations Issue summary: Vulnerability in password recovery mechanism Severity/Risk: Serious Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Vincent Herbulot (@us3r777) Issue no.: MDL-50860 CVE identifier: CVE-2015-5267 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50860 _____________________________________________________________________ MSA-15-0033: Meta course synchronisation enrols suspended students as managers for a short period of time lundi 21 septembre 2015, 09:43 Description: On large installations, when sync script takes a long time, suspended students may get assigned a manager role in meta course for several minutes Issue summary: Meta course sync enroling suspended students as managers and causing large database growth Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Brian Winstead Issue no.: MDL-50744 CVE identifier: CVE-2015-5266 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50744 _____________________________________________________________________ MSA-15-0032: Users can delete files uploaded by other users in wiki lundi 21 septembre 2015, 09:42 Description: Users can delete files uploaded by other users in wiki without capability to manage files Issue summary: Disable free access to the file manager in the wiki via the text editor. Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: John Provasnik Issue no.: MDL-48371 CVE identifier: CVE-2015-5265 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48371 _____________________________________________________________________ MSA-15-0031: Teacher in forum can still post to "all participants" and groups they are not members of lundi 21 septembre 2015, 09:38 Description: Group access is not properly checked when posting to "all participants" in forum Issue summary: Teacher without accessallgroups can still post to "all participants" and groups they're not members of Severity/Risk: Minor Versions affected: 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.7.10 Reported by: David Scotson Issue no.: MDL-50576 CVE identifier: CVE-2015-5272 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50576 _____________________________________________________________________ MSA-15-0030: Students can re-attempt answering questions in the lesson lundi 21 septembre 2015, 09:36 Description: Completed and graded lesson activity was not protected against making new attempt to answer some questions Issue summary: Students can re-attempt answering questions in the lesson Severity/Risk: Minor Versions affected: 2.9 to 2.9.1, 2.8 to 2.8.7, 2.7 to 2.7.9 and earlier unsupported versions Versions fixed: 2.9.2, 2.8.8 and 2.7.10 Reported by: Eric Eakin Issue no.: MDL-50516 CVE identifier: CVE-2015-5264 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50516 ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================