Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAB_jSYwVGQrFsH6syD=az8-4Moazj5de0xvRrYnAiRuhaG=Tgw@mail.gmail.com>
Date: Mon, 21 Mar 2016 14:32:15 +0800
From: Marina Glancy <marina@...dle.com>
To: oss-security@...ts.openwall.com
Subject: moodle security release

The following security notifications have now been made public. Thanks
to OSS members for their cooperation.

Marina Glancy
Development Process Manager
e: marina@...dle.com
p: +61 8 9467 4167 w: moodle.com

==============================================================================
MSA-16-0003: Incorrect capability check when displaying users emails in
Participants list

Description:       Teachers who otherwise were not supposed to see students'
                   emails could see them in the participants list
Issue summary:     Incorrect capability check when displaying users emails in
                   Participants list
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Matt Jenner
Issue no.:         MDL-52433
CVE identifier:    CVE-2016-2151
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433

==============================================================================
MSA-16-0004: XSS from profile fields from external db

Description:       Moodle traditionally trusted content from external DB
                   however it was decided that external datasources may not be
                   aware of web security practices and data could cause
                   problems after importing to Moodle
Issue summary:     XSS from profile fields from external db
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Jay Knight
Issue no.:         MDL-50705
CVE identifier:    CVE-2016-2152
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705

==============================================================================
MSA-16-0005: Reflected XSS in mod_data advanced search

Description:       User with higher permissions could be tricked into clicking
                   a link which would result in XSS attack
Issue summary:     Reflected XSS in mod_data advanced search
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Ian Song
Issue no.:         MDL-52727
Workaround:        Educate staff to always use only modern browsers that block
                   such attacks by default
CVE identifier:    CVE-2016-2153
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727

==============================================================================
MSA-16-0006: Hidden courses are shown to students in Event Monitor

Description:       Users without capability to view hidden courses but with
                   capability to subscribe to Event Monitor rules could see
                   the names of hidden courses
Issue summary:     Hidden courses are shown to students in Event Monitor
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:    3.0.3, 2.9.5 and 2.8.11
Reported by:       Roger
Issue no.:         MDL-51167
Workaround:        Revoke capability to subscribe to Event Monitor rules from
                   regular users
CVE identifier:    CVE-2016-2154
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167

==============================================================================
MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single
View

Description:       Incorrect capability check in Single View grade report
                   could result in giving a teacher extra permission
Issue summary:     Non-Editing Instructor role can edit exclude checkbox in
                   Single View
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10
Versions fixed:    3.0.3, 2.9.5 and 2.8.11
Reported by:       Mark McKay
Issue no.:         MDL-52378
CVE identifier:    CVE-2016-2155
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378

==============================================================================
MSA-16-0008: External function get_calendar_events return events that pertains
to hidden activities

Description:       Users without capability to view hidden acitivites could
                   still see associated calendar events via web services
Issue summary:     External function get_calendar_events return events that
                   pertains to hidden activities
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Juan Leyva
Issue no.:         MDL-52808
CVE identifier:    CVE-2016-2156
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808

==============================================================================
MSA-16-0009: CSRF in Assignment plugin management page

Description:       CSRF possible on admin page, however exploit unlikely
                   benefit anybody and can easily be reversed
Issue summary:     CSRF in Assignment plugin management page
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Paul Holden
Issue no.:         MDL-53031
CVE identifier:    CVE-2016-2157
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031

==============================================================================
MSA-16-0010: Enumeration of category details possible without authentication

Description:       Despite force login setting guests could still access
                   course category details
Issue summary:     Enumeration of category details possible without
                   authentication
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Krista Koivisto
Issue no.:         MDL-52774
CVE identifier:    CVE-2016-2158
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774

==============================================================================
MSA-16-0011: Add no referrer to links with _blank target attribute

Description:       Improve security when following external links that were
                   added with _blank target
Issue summary:     Add no referrer to links with _blank target attribute
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Hugh Davenport
Issue no.:         MDL-52651
CVE identifier:    CVE-2016-2190
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651

==============================================================================
MSA-16-0012: External function mod_assign_save_submission does not check due
dates

Description:       Students were able to add assignment submissions after the
                   due date through web service
Issue summary:     External function mod_assign_save_submission does not check
                   due dates
Severity/Risk:     Minor
Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12
                   and earlier unsupported versions
Versions fixed:    3.0.3, 2.9.5, 2.8.11 and 2.7.13
Reported by:       Juan Leyva
Issue no.:         MDL-52901
CVE identifier:    CVE-2016-2159
Changes (master):
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901

==============================================================================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.