====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN526
_____________________________________________________________________

DATE                : 21/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.9.2,
                                  3.8.5, 3.7.8, 3.5.14.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=410839
https://moodle.org/mod/forum/discuss.php?d=410840
https://moodle.org/mod/forum/discuss.php?d=410841
https://moodle.org/mod/forum/discuss.php?d=410842
https://moodle.org/mod/forum/discuss.php?d=410843
_____________________________________________________________________


MSA-20-0011: Stored XSS via moodlenetprofile parameter in user profile
par Michael Hawkins, lundi 21 septembre 2020, 15:22

The moodlenetprofile user profile field required extra sanitizing to
prevent a stored XSS risk.


Severity/Risk:          Serious
Versions affected:      3.9 to 3.9.1
Versions fixed:         3.9.2
Reported by:            Kien Hoang
CVE identifier:         CVE-2020-25627
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69240
Tracker issue:          MDL-69240 Stored XSS via moodlenetprofile
                        parameter in user profile

_____________________________________________________________________


MSA-20-0012: Reflected XSS in tag manager
par Michael Hawkins, lundi 21 septembre 2020, 15:23


The filter in the admin task log required extra sanitizing to prevent a
reflected XSS risk.


Severity/Risk:          Serious
Versions affected:      3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to
                        3.5.13 and earlier unsupported versions
Versions fixed:         3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by:            Luuk Verhoeven
CVE identifier: 	CVE-2020-25628
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69340
Tracker issue:          MDL-69340 Reflected XSS in tag manager

_____________________________________________________________________


MSA-20-0013: "Log in as" capability in a course context may lead to some
privilege escalation
par Michael Hawkins, lundi 21 septembre 2020, 15:24


Users with "Log in as" capability in a course context (typically, course
managers) may gain access to some site administration capabilities by
"logging in as" a System manager.


Severity/Risk:          Minor
Versions affected:      3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to
                        3.5.13 and earlier unsupported versions
Versions fixed:         3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by:            Florence Thiard
Workaround:             Remove the "Login as other users" capability
                        from the manager role until the patch is
                        applied.
CVE identifier:         CVE-2020-25629
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-68974
Tracker issue:          MDL-68974 "Log in as" capability in a course
                        context may lead to some privilege escalation

_____________________________________________________________________


MSA-20-0014: Denial of service risk in file picker unzip functionality
par Michael Hawkins, lundi 21 septembre 2020, 15:30


The decompressed size of zip files was not checked against available
user quota before unzipping them, which could lead to a denial of
service risk.


Severity/Risk:          Serious
Versions affected:      3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to
                        3.5.13 and earlier unsupported versions
Versions fixed:         3.9.2, 3.8.5, 3.7.8 and 3.5.14
Reported by:            Ivan Novichkov
CVE identifier:         CVE-2020-25630
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-65115
Tracker issue:          MDL-65115 Denial of service risk in file picker
                        unzip functionality

_____________________________________________________________________


MSA-20-0015: Chapter name in book not always escaped with forceclean enabled
par Michael Hawkins, lundi 21 septembre 2020, 15:34


It was possible to include JavaScript in a book's chapter title, which
was not escaped on the "Add new chapter" page.

Note: By default this functionality is only available to trusted users
(such as teachers), but has been included as a security issue as a
precaution, since it was not sanitized on sites with forceclean enabled.


Severity/Risk:          Minor
Versions affected:      3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7
Versions fixed:         3.9.2, 3.8.5 and 3.7.8
Reported by:            DegrangeM
CVE identifier:         CVE-2020-25631
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-69048
Tracker issue:          MDL-69048 Chapter name in book not always
                        escaped with forceclean enabled

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================