Moodle security anouncement

Posted on Posted in Moodle

A list of new vulnerabilities have been announced by moodle developers:

  1. Students were able to add assignment submissions after the due date through web service [CVE-2016-2159]
  2. Improve security when following external links that were added with _blank target [CVE-2016-2190]
  3. Despite force login setting guests could still access course category details [CVE-2016-2158]
  4. CSRF possible on admin page, however exploit unlikely benefit anybody and can easily be reversed [CVE-2016-2157]
  5. Users without capability to view hidden acitivites could still see associated calendar events via web services [CVE-2016-2156]
  6. Incorrect capability check in Single View grade report could result in giving a teacher extra permission [CVE-2016-2155]
  7. Users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses [CVE-2016-2154]
  8. User with higher permissions could be tricked into clicking a link which would result in XSS attack [CVE-2016-2153]
  9. Moodle traditionally trusted content from external DB however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle [CVE-2016-2152]
  10. Teachers who otherwise were not supposed to see students' emails could see them in the participants list [CVE-2016-2151]

Impact:

  1. External function mod_assign_save_submission does not check due dates
  2. Add no referrer to links with _blank target attribute
  3. Enumeration of category details possible without authentication
  4. CSRF in Assignment plugin management page
  5. External function get_calendar_events return events that pertains to hidden activities
  6. Non-Editing Instructor role can edit exclude checkbox in Single View
  7. Hidden courses are shown to students in Event Monitor
  8. Reflected XSS in mod_data advanced search
  9. XSS from profile fields from external db
  10. Incorrect capability check when displaying users emails in Participants list

Solution:

  1. Revoke capability to subscribe to Event Monitor rules from regular users
  2. Educate staff to always use only modern browsers that block such attacks by default
  3. Apply vendor issued code changes

Source(s): moodle.org/security

One thought on “Moodle security anouncement

  1. This issue has been withdrawn from the security release already after both Moodle and CVE identifiers have been assigned.

Leave a Reply

Your email address will not be published. Required fields are marked *