====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN068

_____________________________________________________________________

DATE                : 19/03/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.6.3,
                                3.5.5, 3.4.8 et 3.1.17.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=384010&parent=1547742
https://moodle.org/mod/forum/discuss.php?d=384011&parent=1547743
https://moodle.org/mod/forum/discuss.php?d=384012&parent=1547744
https://moodle.org/mod/forum/discuss.php?d=384013&parent=1547745
https://moodle.org/mod/forum/discuss.php?d=384014&parent=1547746
https://moodle.org/mod/forum/discuss.php?d=384015&parent=1547748
_____________________________________________________________________

MSA-19-0004: "Log in as" functionality exposed to JavaScript risk on
other users' Dashboards
Tuesday, 19 March 2019, 11:06 AM

Users with the "login as other users" capability (such as
administrators/managers) can access other users' Dashboards, but the
JavaScript those other users may have added to their Dashboard was not
being escaped when being viewed by the user logging in on their behalf.

Please note that for versions 3.1 and 3.4 only, this fix removes access
to other users' Dashboards while using the login-as functionality.
Versions 3.5 and 3.6 have additional sanitizing implemented, which
allowed the risk to be removed while retaining Dashboard access. If you
require access to Dashboards through the login-as feature, we recommend
upgrading to Moodle 3.5 or above (noting that 3.1 and 3.4 will also no
longer receive security updates after their next releases in May 2019).

Severity/Risk:     Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to
                   3.1.16 and earlier unsupported versions
Versions fixed:    3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by:       Daniel Thatcher
Workaround:       Use incognito/private browsing mode when using the
                  "Log in as" functionality, then close the private
                  window before logging back in as your own user,
                  to minimise session or cookie related risks.
                  Alternatively, avoid visiting the Dashboard
                  when logged in as other users until patch is
                  applied.
CVE identifier:    CVE-2019-3847
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-63786
Tracker issue:     MDL-63786 "Log in as" functionality exposed to
                   JavaScript risk on other users' Dashboards
_____________________________________________________________________

MSA-19-0005: Logged in users could view all calendar events
Tuesday, 19 March 2019, 11:10 AM

Permissions were not correctly checked before loading event information
into the calendar's edit event modal popup, so logged in non-guest users
could view unauthorised calendar events. (Note: It was read-only access,
users could not edit the events.)

Severity/Risk:     Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4 and 3.4 to 3.4.7
Versions fixed:    3.6.3, 3.5.5 and 3.4.8
Reported by:       Juan Leyva
CVE identifier:    CVE-2019-3848
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64830
Tracker issue:     MDL-64830 Logged in users could view all calendar
                   events
_____________________________________________________________________

MSA-19-0006: Users could elevate their role when accessing the LTI tool
on a provider site
Tuesday, 19 March 2019, 11:14 AM

Users could assign themselves an escalated role within courses or
content accessed via LTI, by modifying the request to the LTI publisher
site.
Severity/Risk:     Serious
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7 and earlier
                  unsupported versions
Versions fixed:    3.6.3, 3.5.5 and 3.4.8
Reported by:       Brendan Cox
CVE identifier:    CVE-2019-3849
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62702
Tracker issue:     MDL-62702 Users could elevate their role when
                   accessing the LTI tool on a provider site

_____________________________________________________________________

MSA-19-0007: Stored HTML in assignment submission comments allowed links
to be opened directly
Tuesday, 19 March 2019, 11:15 AM

Links within assignment submission comments would open directly (in the
same window). Although links themselves may be valid, opening within the
same window and without the no-referrer header policy made them more
susceptible to exploits.

Severity/Risk:     Minor
Versions affected: 3.6 to 3.6.2, 3.5 to 3.5.4, 3.4 to 3.4.7, 3.1 to
                   3.1.16 and earlier unsupported versions
Versions fixed:    3.6.3, 3.5.5, 3.4.8 and 3.1.17
Reported by:       Steeven George
CVE identifier:    CVE-2019-3850
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64651
Tracker issue:     MDL-64651 Stored HTML in assignment submission
                   allowed links to be opened directly
_____________________________________________________________________

MSA-19-0008: Secure layout contained an insecure link in Boost theme
Tuesday, 19 March 2019, 11:16 AM

There was a link to site home within the the Boost theme's secure
layout, meaning students could navigate out of the page.

Severity/Risk:     Minor
Versions affected: 3.6 to 3.6.2 and 3.5 to 3.5.4
Versions fixed:    3.6.3 and 3.5.5
Reported by:       Martin von Lowis and Luca Bosch
CVE identifier:    CVE-2019-3851
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64706
Tracker issue:     MDL-64706 Secure layout contained an insecure link in
                   Boost theme
_____________________________________________________________________

MSA-19-0009: get_with_capability_join/get_users_by_capability not aware
of context freezing
Tuesday, 19 March 2019, 11:17 AM

get_with_capability_join and get_users_by_capability were not taking
context freezing into account when checking user capabilities

Severity/Risk:     Minor
Versions affected: 3.6 to 3.6.2
Versions fixed:    3.6.3
Reported by:       Andrew Nicols
CVE identifier:    CVE-2019-3852
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64410
Tracker issue:     MDL-64410
                   get_with_capability_join/get_users_by_capability
                   not aware of context freezing


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================