Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4361
Moodle Security Advisory
19 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Unauthorised Access -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-14884 CVE-2019-14883 CVE-2019-14882
CVE-2019-14881 CVE-2019-14880 CVE-2019-14879
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=393582&parent=1586743
https://moodle.org/mod/forum/discuss.php?d=393583&parent=1586744
https://moodle.org/mod/forum/discuss.php?d=393584&parent=1586746
https://moodle.org/mod/forum/discuss.php?d=393585&parent=1586747
https://moodle.org/mod/forum/discuss.php?d=393586&parent=1586750
https://moodle.org/mod/forum/discuss.php?d=393587&parent=1586751
Comment: This bulletin contains six (6) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-19-0024: Assigned Role in Cohort did not un-assign on removal
When a cohort role assignment was removed, the associated capabilites were not
being revoked (where applicable).
Severity/Risk: Minor
Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier
unsupported versions
Versions fixed: 3.7.3, 3.6.7 and 3.5.9
Reported by: Yusuf Yilmaz, Mick Cassell
CVE identifier: CVE-2019-14879
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66257
Tracker issue: MDL-66257 Assigned Role in Cohort did not un-assign on removal
===============================================================================
MSA-19-0025: Add additional verification for some OAuth 2 logins to prevent
account compromise
OAuth 2 providers who do not verify users' email address changes require
additional verification during sign-up to reduce the risk of account
compromise.
Severity/Risk: Serious
Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier
unsupported versions
Versions fixed: 3.7.3, 3.6.7 and 3.5.9
Reported by: CeDiS Team
Workaround: Disable login via OAuth 2 providers that may be affected,
until the patch is applied.
CVE identifier: CVE-2019-14880
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66598
Tracker issue: MDL-66598 Add additional verification for some OAuth 2 logins
to prevent account compromise
===============================================================================
MSA-19-0026: Blind XSS reflected in some locations where user email is
displayed
User emails required additional sanitizing to prevent blind XSS risk on some
pages.
Severity/Risk: Minor
Versions affected: 3.7 to 3.7.2
Versions fixed: 3.7.3
Reported by: Yuri Zwaig
CVE identifier: CVE-2019-14881
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66762
Tracker issue: MDL-66762 Blind XSS reflected in some locations where user
email is displayed
===============================================================================
MSA-19-0027: Open redirect in Lesson edit page
An open redirect existed in the Lesson edit page.
Severity/Risk: Minor
Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier
unsupported versions
Versions fixed: 3.7.3, 3.6.7 and 3.5.9
Reported by: Paul Holden
CVE identifier: CVE-2019-14882
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66228
Tracker issue: MDL-66228 Open redirect in Lesson edit page
===============================================================================
MSA-19-0028: Email media URL tokens were not checking for user status
Tokens used to fetch inline attachments in email notifications were not
disabled when a user's account was no longer active. Note: to access files, a
user would need to know the file path, and their token.
Severity/Risk: Minor
Versions affected: 3.7 to 3.7.2 and 3.6 to 3.6.6
Versions fixed: 3.7.3 and 3.6.7
Reported by: Juan Leyva
CVE identifier: CVE-2019-14883
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66377
Tracker issue: MDL-66377 Email media URL tokens were not checking for user
status
===============================================================================
MSA-19-0029: Reflected XSS possible from some fatal error messages
Fatal error messages required extra sanitizing to prevent reflected XSS risks
on some pages.
Severity/Risk: Serious
Versions affected: 3.7 to 3.7.2, 3.6 to 3.6.6, 3.5 to 3.5.8 and earlier
unsupported versions
Versions fixed: 3.7.3, 3.6.7 and 3.5.9
Reported by: Yuriy Dyachenko
CVE identifier: CVE-2019-14884
Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-66161
Tracker issue: MDL-66161 Reflected XSS possible from some fatal error
messages
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXdND6GaOgq3Tt24GAQjTsA//WBMhRHfuQxsdGlGXF4Hlga1hzFGDBzdS
1Fwv2vguSQjUrTf/wGxHexzXLeIIskyjs/Lngugccue27DuMihvMlqNAx3mjrljp
ME0569AJnwEQjmdljUmd41lLNYyJwxV2aP1uiY3VC2JaUeQHE/JKvZypnTXLN8zb
krQqM+EW5IRJzctwMRWbNvvJLnng2Ekx9Dr7a5uFJ8ftvcK+NawWqmboFFoy70c7
wVH9Q2HsExSakwV0njFAWDabBgz2pNbqG3w4T0LqOjCIUT/ZON531WVs34QIHJ4b
aK9zuAOZ236LMK0fwkTpX17kYpPmDk0dkQVpB4u1NENf3GiBllFWbOVuCjqeoLBl
xi6ihJQgEx0pJY228cxQ+EDrKwBxkoQQQFExUbBZRNM4WH7b9uqoQjQGnfI1qG1v
+RMaCf+YFYABTvNaM7wpKtmLQkbj0j64jKuRz3CZF1+czfq0ATcZqxT7mtHi/UFi
tPsdD15rZLOqvOzTawzYR+1GKKASaK6iaMJuaXEM6CBi4wfq2pPyLDVIcB2HfvRY
qrxFX4c/t1X0Meirg9h04Sh6+rgp6bKS68uqniAKbDzfnGUTJbILOddIWY5JJ90L
RgTa5edxSXLVi/6PA637VU7ukqiIxRlZ6B0vqj2VsXzyrxqF4pMeu9kuBhCI5Dze
FRarT9ph/GE=
=DCnM
-----END PGP SIGNATURE-----