====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN029
_____________________________________________________________________

DATE                : 20/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions 3.8 prior to 3.8.1.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=395953
_____________________________________________________________________


MSA-20-0001: Stored XSS in message conversation overview
par Michael Hawkins, lundi 20 janvier 2020, 13:07


Messages required extra sanitizing before updating the conversation
overview, to prevent the risk of stored XSS.


Severity/Risk:          Serious
Versions affected:      3.8
Versions fixed:         3.8.1
Reported by:            Cid da Costa
Workaround:             Disable the messaging system until the patch has
                         been applied.
CVE identifier:         CVE-2020-1691
Changes (master): 	
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-67637
Tracker issue:     MDL-67637 Stored XSS in message conversation overview


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================