====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN118
_____________________________________________________________________

DATE                : 28/03/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions 3 prior to 3.4.2,
                                 3.3.5, 3.2.8, 3.1.11.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=367939
https://moodle.org/mod/forum/discuss.php?d=367938
_____________________________________________________________________

MSA-18-0006: Suspended users with OAuth 2 authentication method can
still log in to the site

Marina Glancy
lundi 26 mars 2018, 14:53


If a user account using OAuth2 authentication method was once confirmed
but later suspended, user could still login to the site


Severity/Risk: 	        Minor
Versions affected: 	3.4 to 3.4.1, 3.3 to 3.3.4
Versions fixed: 	3.4.2 and 3.3.5
Reported by: 	        Helen Foster
CVE identifier: 	CVE-2018-1082
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-60101
Tracker issue: 	        MDL-60101 Suspended users with OAuth 2
                      authentication method can still log in to the site

_____________________________________________________________________

MSA-18-0005: Unauthenticated users can trigger custom messages to admin
via paypal enrol script
Marina Glancy
lundi 26 mars 2018, 14:52


Paypal IPN callback script should only send error emails to admin after
request origin was verified, otherwise admin email can be spammed


Severity/Risk: 	        Serious
Versions affected: 	3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, 3.1
                          to 3.1.10 and earlier unsupported versions
Versions fixed: 	3.4.2, 3.3.5, 3.2.8 and 3.1.11
Reported by: 	        Brendan Cox
CVE identifier: 	CVE-2018-1081
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61392
Tracker issue: 	        MDL-61392 Unauthenticated users can trigger
                         custom messages to admin via paypal enrol
                         script

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================