Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4361 Moodle Security Advisory 19 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-14884 CVE-2019-14883 CVE-2019-14882 CVE-2019-14881 CVE-2019-14880 CVE-2019-14879 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=393582&parent=1586743 https://moodle.org/mod/forum/discuss.php?d=393583&parent=1586744 https://moodle.org/mod/forum/discuss.php?d=393584&parent=1586746 https://moodle.org/mod/forum/discuss.php?d=393585&parent=1586747 https://moodle.org/mod/forum/discuss.php?d=393586&parent=1586750 https://moodle.org/mod/forum/discuss.php?d=393587&parent=1586751 Comment: This bulletin contains six (6) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-19-0024: Assigned Role in Cohort did not un-assign on removal When a cohort role assignment was removed, the associated capabilites were not being revoked (where applicable). Severity/Risk: Minor Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Yusuf Yilmaz, Mick Cassell CVE identifier: CVE-2019-14879 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257 Tracker issue: MDL-66257 Assigned Role in Cohort did not un-assign on removal =============================================================================== MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent account compromise OAuth 2 providers who do not verify users' email address changes require additional verification during sign-up to reduce the risk of account compromise. Severity/Risk: Serious Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: CeDiS Team Workaround: Disable login via OAuth 2 providers that may be affected, until the patch is applied. CVE identifier: CVE-2019-14880 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66598 Tracker issue: MDL-66598 Add additional verification for some OAuth 2 logins to prevent account compromise =============================================================================== MSA-19-0026: Blind XSS reflected in some locations where user email is displayed User emails required additional sanitizing to prevent blind XSS risk on some pages. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2 Versions fixed: 3.7.3 Reported by: Yuri Zwaig CVE identifier: CVE-2019-14881 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762 Tracker issue: MDL-66762 Blind XSS reflected in some locations where user email is displayed =============================================================================== MSA-19-0027: Open redirect in Lesson edit page An open redirect existed in the Lesson edit page. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Paul Holden CVE identifier: CVE-2019-14882 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66228 Tracker issue: MDL-66228 Open redirect in Lesson edit page =============================================================================== MSA-19-0028: Email media URL tokens were not checking for user status Tokens used to fetch inline attachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token. Severity/Risk: Minor Versions affected: 3.7 to 3.7.2 and 3.6 to 3.6.6 Versions fixed: 3.7.3 and 3.6.7 Reported by: Juan Leyva CVE identifier: CVE-2019-14883 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66377 Tracker issue: MDL-66377 Email media URL tokens were not checking for user status =============================================================================== MSA-19-0029: Reflected XSS possible from some fatal error messages Fatal error messages required extra sanitizing to prevent reflected XSS risks on some pages. Severity/Risk: Serious Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier unsupported versions Versions fixed: 3.7.3, 3.6.7 and 3.5.9 Reported by: Yuriy Dyachenko CVE identifier: CVE-2019-14884 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66161 Tracker issue: MDL-66161 Reflected XSS possible from some fatal error messages - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXdND6GaOgq3Tt24GAQjTsA//WBMhRHfuQxsdGlGXF4Hlga1hzFGDBzdS 1Fwv2vguSQjUrTf/wGxHexzXLeIIskyjs/Lngugccue27DuMihvMlqNAx3mjrljp ME0569AJnwEQjmdljUmd41lLNYyJwxV2aP1uiY3VC2JaUeQHE/JKvZypnTXLN8zb krQqM+EW5IRJzctwMRWbNvvJLnng2Ekx9Dr7a5uFJ8ftvcK+NawWqmboFFoy70c7 wVH9Q2HsExSakwV0njFAWDabBgz2pNbqG3w4T0LqOjCIUT/ZON531WVs34QIHJ4b aK9zuAOZ236LMK0fwkTpX17kYpPmDk0dkQVpB4u1NENf3GiBllFWbOVuCjqeoLBl xi6ihJQgEx0pJY228cxQ+EDrKwBxkoQQQFExUbBZRNM4WH7b9uqoQjQGnfI1qG1v +RMaCf+YFYABTvNaM7wpKtmLQkbj0j64jKuRz3CZF1+czfq0ATcZqxT7mtHi/UFi tPsdD15rZLOqvOzTawzYR+1GKKASaK6iaMJuaXEM6CBi4wfq2pPyLDVIcB2HfvRY qrxFX4c/t1X0Meirg9h04Sh6+rgp6bKS68uqniAKbDzfnGUTJbILOddIWY5JJ90L RgTa5edxSXLVi/6PA637VU7ukqiIxRlZ6B0vqj2VsXzyrxqF4pMeu9kuBhCI5Dze FRarT9ph/GE= =DCnM -----END PGP SIGNATURE-----