==================================================================== CERT-Renater Note d'Information No. 2016/VULN132 _____________________________________________________________________ DATE : 22/03/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle version prior to 3.0.3, 2.9.5, 2.8.11, 2.7.13. ====================================================================== http://moodle.org/security/ https://moodle.org/mod/forum/discuss.php?d=330173 https://moodle.org/mod/forum/discuss.php?d=330174 https://moodle.org/mod/forum/discuss.php?d=330175 https://moodle.org/mod/forum/discuss.php?d=330176 https://moodle.org/mod/forum/discuss.php?d=330177 https://moodle.org/mod/forum/discuss.php?d=330178 https://moodle.org/mod/forum/discuss.php?d=330179 https://moodle.org/mod/forum/discuss.php?d=330180 https://moodle.org/mod/forum/discuss.php?d=330181 https://moodle.org/mod/forum/discuss.php?d=330182 _____________________________________________________________________ MSA-16-0003: Incorrect capability check when displaying users emails in Participants list Marina Glancy lundi 21 mars 2016, 14:08 Description: Teachers who otherwise were not supposed to see students' emails could see them in the participants list Issue summary: Incorrect capability check when displaying users emails in Participants list Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Matt Jenner Issue no.: MDL-52433 CVE identifier: CVE-2016-2151 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433 _____________________________________________________________________ MSA-16-0004: XSS from profile fields from external db Marina Glancy lundi 21 mars 2016, 14:09 Description: Moodle traditionally trusted content from external DB however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle Issue summary: XSS from profile fields from external db Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Jay Knight Issue no.: MDL-50705 CVE identifier: CVE-2016-2152 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705 _____________________________________________________________________ MSA-16-0005: Reflected XSS in mod_data advanced search Marina Glancy lundi 21 mars 2016, 14:09 Description: User with higher permissions could be tricked into clicking a link which would result in XSS attack Issue summary: Reflected XSS in mod_data advanced search Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Ian Song Issue no.: MDL-52727 Workaround: Educate staff to always use only modern browsers that block such attacks by default CVE identifier: CVE-2016-2153 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727 _____________________________________________________________________ MSA-16-0006: Hidden courses are shown to students in Event Monitor Marina Glancy lundi 21 mars 2016, 14:10 Description: Users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses Issue summary: Hidden courses are shown to students in Event Monitor Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10 Versions fixed: 3.0.3, 2.9.5 and 2.8.11 Reported by: Roger Issue no.: MDL-51167 Workaround: Revoke capability to subscribe to Event Monitor rules from regular users CVE identifier: CVE-2016-2154 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167 _____________________________________________________________________ MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View Marina Glancy lundi 21 mars 2016, 14:11 Description: Incorrect capability check in Single View grade report could result in giving a teacher extra permission Issue summary: Non-Editing Instructor role can edit exclude checkbox in Single View Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10 Versions fixed: 3.0.3, 2.9.5 and 2.8.11 Reported by: Mark McKay Issue no.: MDL-52378 CVE identifier: CVE-2016-2155 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378 _____________________________________________________________________ MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities Marina Glancy lundi 21 mars 2016, 14:11 Description: Users without capability to view hidden acitivites could still see associated calendar events via web services Issue summary: External function get_calendar_events return events that pertains to hidden activities Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Juan Leyva Issue no.: MDL-52808 CVE identifier: CVE-2016-2156 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808 _____________________________________________________________________ MSA-16-0009: CSRF in Assignment plugin management page Marina Glancy lundi 21 mars 2016, 14:12 Description: CSRF possible on admin page, however exploit unlikely benefit anybody and can easily be reversed Issue summary: CSRF in Assignment plugin management page Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Paul Holden Issue no.: MDL-53031 CVE identifier: CVE-2016-2157 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031 _____________________________________________________________________ MSA-16-0010: Enumeration of category details possible without authentication Marina Glancy lundi 21 mars 2016, 14:12 Description: Despite force login setting guests could still access course category details Issue summary: Enumeration of category details possible without authentication Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Krista Koivisto Issue no.: MDL-52774 CVE identifier: CVE-2016-2158 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774 _____________________________________________________________________ MSA-16-0011: Add no referrer to links with _blank target attribute Marina Glancy lundi 21 mars 2016, 14:13 Description: Improve security when following external links that were added with _blank target Issue summary: Add no referrer to links with _blank target attribute Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Hugh Davenport Issue no.: MDL-52651 CVE identifier: CVE-2016-2190 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651 _____________________________________________________________________ MSA-16-0012: External function mod_assign_save_submission does not check due dates Marina Glancy lundi 21 mars 2016, 14:14 Description: Students were able to add assignment submissions after the due date through web service Issue summary: External function mod_assign_save_submission does not check due dates Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Juan Leyva Issue no.: MDL-52901 CVE identifier: CVE-2016-2159 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901 ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================