==================================================================== CERT-Renater Note d'Information No. 2019/VULN363 _____________________________________________________________________ DATE : 18/11/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.7.3, 3.6.7, 3.5.9. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=393582 https://moodle.org/mod/forum/discuss.php?d=393583 https://moodle.org/mod/forum/discuss.php?d=393584 https://moodle.org/mod/forum/discuss.php?d=393585 https://moodle.org/mod/forum/discuss.php?d=393586 https://moodle.org/mod/forum/discuss.php?d=393587 _____________________________________________________________________ MSA-19-0024: Assigned Role in Cohort did not un-assign on removal par Michael Hawkins, lundi 18 novembre 2019, 13:15 When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable). Severity/Risk: Minor Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Yusuf Yilmaz, Mick Cassell CVE identifier: CVE-2019-14879 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257 Tracker issue: MDL-66257 Assigned Role in Cohort did not un-assign on removal _____________________________________________________________________ MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise par Michael Hawkins, lundi 18 novembre 2019, 13:17 OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. Severity/Risk: Serious Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: CeDiS Team Workaround: Disable login via OAuth 2 providers that may be affected, until the patch is applied. CVE identifier: CVE-2019-14880 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66598 Tracker issue: MDL-66598 Add additional verification for some OAuth 2 logins to prevent account compromise _____________________________________________________________________ MSA-19-0026: Blind XSS reflected in some locations where user email is displayed par Michael Hawkins, lundi 18 novembre 2019, 13:19 User emails required additional sanitizing to prevent blind XSS risk on some pages. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2 Versions fixed: 3.7.3 Reported by: Yuri Zwaig CVE identifier: CVE-2019-14881 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762 Tracker issue: MDL-66762 Blind XSS reflected in some locations where user email is displayed _____________________________________________________________________ MSA-19-0027: Open redirect in Lesson edit page par Michael Hawkins, lundi 18 novembre 2019, 13:20 An open redirect existed in the Lesson edit page. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Paul Holden CVE identifier: CVE-2019-14882 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66228 Tracker issue: MDL-66228 Open redirect in Lesson edit page _____________________________________________________________________ MSA-19-0028: Email media URL tokens were not checking for user status par Michael Hawkins, lundi 18 novembre 2019, 13:33 Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2 and 3.6 to 3.6.6 Versions fixed: 3.7.3 and 3.6.7 Reported by: Juan Leyva CVE identifier: CVE-2019-14883 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66377 Tracker issue: MDL-66377 Email media URL tokens were not checking for user status _____________________________________________________________________ MSA-19-0029: Reflected XSS possible from some fatal error messages par Michael Hawkins, lundi 18 novembre 2019, 13:35 Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages. Severity/Risk: Serious Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Yuriy Dyachenko CVE identifier: CVE-2019-14884 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66161 Tracker issue: MDL-66161 Reflected XSS possible from some fatal error messages ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================