====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN279
_____________________________________________________________________

DATE                : 18/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.8.3,
                                3.7.6, 3.6.10, 3.5.12.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=403512
https://moodle.org/mod/forum/discuss.php?d=403513
_____________________________________________________________________

MSA-20-0005: MathJax URL upgraded to later version to remove XSS risk
             (upstream)
par Michael Hawkins, lundi 18 mai 2020, 15:34


MathJax versions 2.7.2 and earlier contain a stored XSS risk. The
MathJax URL has been updated to reference a newer version, which has the
vulnerability patched.


Severity/Risk: 	Serious
Versions affected: 	3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to
                         3.5.11 and earlier unsupported versions
Versions fixed: 	3.8.3, 3.7.6, 3.6.10 and 3.5.12
Reported by: 	Abdullah Hussam
Workaround: 	Manually update the MathJax URL in site administration
                to reference the patched version
(https://cdn.jsdelivr.net/npm/mathjax@2.7.8/MathJax.js)

CVE identifier: 	CVE-2018-1999024
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68430

Tracker issue:         MDL-68430 MathJax URL upgraded to later version
                        to remove XSS risk (upstream)

_____________________________________________________________________


MSA-20-0006: Remote code execution possible via SCORM packages
par Michael Hawkins, lundi 18 mai 2020, 15:37


It was possible to create a SCORM package in such a way that when added
to a course, it could be interacted with via web services in order to
achieve remote code execution.


Severity/Risk: 	Serious
Versions affected: 	3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to
                         3.5.11 and earlier unsupported versions
Versions fixed: 	3.8.3, 3.7.6, 3.6.10 and 3.5.12
Reported by:            Paul Holden
Workaround:             Disable the 'SCORM package' activity type until
                         the patch is applied.
CVE identifier: 	CVE-2020-10738

Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68410

Tracker issue:          MDL-68410 Remote code execution possible via
                         SCORM packages


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================