====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN159

_____________________________________________________________________

DATE                : 21/05/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.7,
                               3.6.4, 3.5.6, 3.4.9, 3.1.18.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=386524
https://moodle.org/mod/forum/discuss.php?d=386523
https://moodle.org/mod/forum/discuss.php?d=386521
_____________________________________________________________________


MSA-19-0012: Private files uploaded via incoming mail processing could
bypass quota restrictions
par Michael Hawkins, lundi 20 mai 2019, 14:46

The size of users' private file uploads via email were not correctly
checked, so their quota allowance could be exceeded.


Severity/Risk:          Minor
Versions affected: 	3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to
                         3.1.17 and earlier unsupported versions
Versions fixed: 	3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:            Guillermo Leon Alvarez Salamanca
Workaround:             Disable the "Email to Private files" message
                         handler until the fix is applied. This is
                         disabled by default in Moodle.
CVE identifier: 	CVE-2019-10134
Changes (master): 	
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61738
Tracker issue:          MDL-61738 Private files uploaded via incoming
                         mail processing could bypass quota restrictions

_____________________________________________________________________


MSA-19-0011: Open redirect in upload cohorts page
par Michael Hawkins, lundi 20 mai 2019, 14:44

The form to upload cohorts contained a redirect field, which was not
restricted to internal URLs.


Severity/Risk:          Minor
Versions affected:      3.6 to 3.6.3, 3.5 to 3.5.5, 3.4 to 3.4.8, 3.1 to
                         3.1.17 and earlier unsupported versions
Versions fixed: 	3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18
Reported by:            Lindon Wass
CVE identifier:         CVE-2019-10133
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64708
Tracker issue:          MDL-64708 Open redirect in upload cohorts page

_____________________________________________________________________


MSA-19-0010: All messaging conversations could be viewed
par Michael Hawkins, lundi 20 mai 2019, 14:38

A web service fetching messages was not restricted to the current user's
conversations.


Severity/Risk:          Serious
Versions affected:      3.6 to 3.6.3
Versions fixed:         3.7, 3.6.4
Reported by:            Mazen Gamal
Workaround:             Disable the messaging system until the fix is
                         applied.
CVE identifier:         CVE-2019-10132
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65365
Tracker issue:     MDL-65365 All messaging conversations could be viewed


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================