==================================================================== CERT-Renater Note d'Information No. 2017/VULN261 _____________________________________________________________________ DATE : 18/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.3.2, 3.2.5, 3.1.8. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=358588#p1446236 https://moodle.org/mod/forum/discuss.php?d=358587#p1446235 https://moodle.org/mod/forum/discuss.php?d=358586#p1446234 https://moodle.org/mod/forum/discuss.php?d=358585#p1446233 ____________________________________________________________________ MSA-17-0020: Admins may not know that exposing vendor directory is a security risk Marina Glancy lundi 18 septembre 2017, 11:07 Directories vendor/ and node_modules/ that are created by composer and used during Moodle development may expose dangerous scripts to the web and should never be present on production sites. This issue adds a respective security check. Manual action may be required from the site admin to remove composer- generated directories or prevent access to them from the web. Severity/Risk: Serious Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions Versions fixed: 3.3.2, 3.2.5 and 3.1.8 Reported by: David Mudrák CVE identifier: CVE-2017-9841 reported against PHPUnit project, it is relevant to the version used in Moodle development Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59969 Tracker issue: MDL-59969 Admins may not know that exposing vendor directory is a security risk ____________________________________________________________________ MSA-17-0019: user_can_view_profile() incorrectly assumes $course as shared course Marina Glancy lundi 18 septembre 2017, 11:03 This fix may affect plugins using this API function, there is no exploit in standard Moodle Severity/Risk: Minor Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions Versions fixed: 3.3.2, 3.2.5 and 3.1.8 Reported by: Ankit Agarwal Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58953 Tracker issue: MDL-58953 user_can_view_profile() incorrectly assumes $course as $sharedcourse ____________________________________________________________________ MSA-17-0018: Course reports are not respecting group settings in courses Marina Glancy lundi 18 septembre 2017, 11:02 Number of course reports allowed teachers to view details about users in the groups they can't access Severity/Risk: Minor Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions Versions fixed: 3.3.2, 3.2.5 and 3.1.8 Reported by: Juan Leyva CVE identifier: CVE-2017-12157 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58762 Tracker issue: MDL-58762 Course reports are not respecting group settings in courses ____________________________________________________________________ MSA-17-0017: XSS in contact form on "non-respondents" page in non-anonymous feedback Marina Glancy lundi 18 septembre 2017, 11:01 Form on the feedback "non-respondents" page does not escape the value of subject thus creating self-XSS. This can be used to attack another user by tricking them into opening malicious URL whilst in an open Moodle session Severity/Risk: Minor Versions affected: 3.3 to 3.3.1, 3.2 to 3.2.4, 3.1 to 3.1.7 and earlier unsupported versions Versions fixed: 3.3.2, 3.2.5 and 3.1.8 Reported by: JPCERT/CC CVE identifier: CVE-2017-12156 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-59972 Tracker issue: MDL-59972 XSS in contact form on "non-respondents" page (mod_feedback) ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================