====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN287

_____________________________________________________________________

DATE                : 20/09/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running moodle versions prior to 3.7.2,
                                    3.6.6, 3.5.8.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=391030
https://moodle.org/mod/forum/discuss.php?d=391031
https://moodle.org/mod/forum/discuss.php?d=391032
https://moodle.org/mod/forum/discuss.php?d=391035
https://moodle.org/mod/forum/discuss.php?d=391036
https://moodle.org/mod/forum/discuss.php?d=391037
_____________________________________________________________________


MSA-19-0018: JavaScript injection possible in some Mustache templates
via recursive rendering from contexts
par Michael Hawkins, lundi 16 septembre 2019, 16:06


Mustache helper tags that were included in template contexts were not
being escaped before that context was injected into another Mustache
helper, which could result in script injection in some templates.


Severity/Risk:          Serious
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed:         3.7.2, 3.6.6 and 3.5.8
Reported by:            Sam Hemelryk, Andrew Nicols
CVE identifier:         CVE-2019-14827
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62284
Tracker issue:          MDL-62284 JavaScript injection possible in some
                         Mustache templates via recursive rendering from
                         contexts

_____________________________________________________________________


MSA-19-0019: Course creation did not check the creator's role assignment
capability before automatically assigning them as a teacher in the
course
par Michael Hawkins, lundi 16 septembre 2019, 16:09


Users with the capability to create courses were assigned as a teacher
in those courses, regardless of whether they had the capability to be
automatically assigned that role.


Severity/Risk:          Minor
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed: 	3.7.2, 3.6.6 and 3.5.8
Reported by:            Andrew Nicols
CVE identifier:         CVE-2019-14828
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66181
Tracker issue:          MDL-66181 Course creation did not check the
                        creator's role assignment capability before
                        automatically assigning them as a teacher in the
                        course

_____________________________________________________________________


MSA-19-0020: Python Machine Learning dependency versions bumped
par Michael Hawkins, lundi 16 septembre 2019, 16:15


The analytics Python Machine Learning backend has received some security
fixes, resulting in the required PIP package version being increased.
(Note: Sites using the PHP ML backend, or not using analytics are not
affected)


Severity/Risk:          Minor
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5 and 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed: 	3.7.2, 3.6.6 and 3.5.8
Reported by:            David Monllaó
CVE identifier:         N/A
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66069
Tracker issue:          MDL-66069 Python Machine Learning dependency
                         versions bumped
_____________________________________________________________________


MSA-19-0021: Activity :addinstance capabilities were not respected when
creating a course in single activity format
par Michael Hawkins, lundi 16 septembre 2019, 16:24


Activity creation capabilities were not correctly respected when
selecting the activity to use for a course in single activity mode.


Severity/Risk:          Minor
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed:         3.7.2, 3.6.6 and 3.5.8
Reported by:            Andrew Nicols
CVE identifier:         CVE-2019-14829
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66187
Tracker issue:          MDL-66187 Activity :addinstance capabilities
                        were not respected when creating a course in
                         single activity format

_____________________________________________________________________


MSA-19-0022: Open redirect in the mobile launch endpoint could be used
to expose mobile access tokens
par Michael Hawkins, lundi 16 septembre 2019, 16:27


The mobile launch endpoint contained an open redirect in some
circumstances, which could result in a user's mobile access token being
exposed. (Note: This does not affect sites with a forced URL scheme
configured, mobile service disabled, or where the mobile app login
method is "via the app").


Severity/Risk:          Serious
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed:         3.7.2, 3.6.6 and 3.5.8
Reported by:            Frederik Schou Schmidt
Workaround:             Configure the "Forced URL scheme"
                        (forcedurlscheme) option in site administration
                        to either the app's custom URL scheme, or
                        "moodlemobile" for sites using the standard
                        Moodle app. Alternative workaround options
                        include disabling mobile service
                        (enablemobilewebservice), or changing the mobile
                        app login method (typeoflogin) to "via the app"
                        if possible (instead of via SSO plugin) until
                        the patch is applied.
CVE identifier:         CVE-2019-14830
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66501
Tracker issue:          MDL-66501 Open redirect in the mobile launch
                        endpoint could be used to expose mobile access
                        tokens
_____________________________________________________________________


MSA-19-0023: Forum subscribe link contained an open redirect if forced
subscription mode was enabled
par Michael Hawkins, lundi 16 septembre 2019, 16:34


If a forum's subscription mode was set to "forced subscription", the
forum's subscribe link contained an open redirect.


Severity/Risk:          Minor
Versions affected:      3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and
                         earlier unsupported versions
Versions fixed:         3.7.2, 3.6.6 and 3.5.8
Reported by:            John Couzins
Workaround:             Set a different subscription mode (eg optional
                         or auto) on forums until the patch is applied.
CVE identifier:         CVE-2019-14831
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-55451
Tracker issue:          MDL-55451 Forum subscribe link contained an open
                        redirect if forced subscription mode was enabled


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================