==================================================================== CERT-Renater Note d'Information No. 2019/VULN211 _____________________________________________________________________ DATE : 16/07/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.7.1, 3.6.5, 3.5.7. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=388567 https://moodle.org/mod/forum/discuss.php?d=388568 https://moodle.org/mod/forum/discuss.php?d=388569 https://moodle.org/mod/forum/discuss.php?d=388570 https://moodle.org/mod/forum/discuss.php?d=388571 _____________________________________________________________________ MSA-19-0013: Missing sesskey (CSRF) token in loading/unloading XML files par Michael Hawkins, mardi 16 juillet 2019, 11:43 A sesskey (CSRF) token was not being utilised by the XML loading/unloading admin tool. Severity/Risk: Minor Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions Versions fixed: 3.7.1, 3.6.5 and 3.5.7 Reported by: Callum Carney CVE identifier: CVE-2019-10186 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53689 Tracker issue: MDL-53689 Missing sesskey (CSRF) token in loading/unloading xml files _____________________________________________________________________ MSA-19-0014: Ability to delete glossary entries that belong to another glossary par Michael Hawkins, mardi 16 juillet 2019, 11:47 Users with permission to delete entries from a glossary were able to delete entries from other glossaries they did not have direct access to. Severity/Risk: Minor Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions Versions fixed: 3.7.1, 3.6.5 and 3.5.7 Reported by: Peter Dias CVE identifier: CVE-2019-10187 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64623 Tracker issue: MDL-64623 Ability to delete glossary entries that belong to another glossary _____________________________________________________________________ MSA-19-0015: Quiz group overrides did not observe groups membership or accessallgroups par Michael Hawkins, mardi 16 juillet 2019, 11:49 Teachers in a quiz group could modify group overrides for other groups in the same quiz. Severity/Risk: Minor Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions Versions fixed: 3.7.1, 3.6.5 and 3.5.7 Reported by: Charl Nel CVE identifier: CVE-2019-10188 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-34411 Tracker issue: MDL-34411 Quiz group overrides did not observe groups membership or accessallgroups _____________________________________________________________________ MSA-19-0016: Assignment group overrides did not observe separate groups mode par Michael Hawkins, mardi 16 juillet 2019, 11:52 Teachers in an assignment group could modify group overrides for other groups in the same assignment. Severity/Risk: Minor Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions Versions fixed: 3.7.1, 3.6.5 and 3.5.7 Reported by: David MonllaĆ³ CVE identifier: CVE-2019-10189 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-61114 Tracker issue: MDL-61114 Assignment group overrides did not observe separate groups mode _____________________________________________________________________ MSA-19-0017: Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream) par Michael Hawkins, mardi 16 juillet 2019, 11:57 The third party TCPDF library used by Moodle required updating to patch bug fixes, including a security fix (see CVE for more details). Severity/Risk: Minor Versions affected: 3.7, 3.6 to 3.6.4, 3.5 to 3.5.6 and earlier unsupported versions Versions fixed: 3.7.1, 3.6.5 and 3.5.7 Reported by: Dan Marsden CVE identifier: CVE-2018-17057 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-64794 Tracker issue: MDL-64794 Upgrade TCPDF library for PHP 7.3 and bug fixes (upstream) ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================