Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1767
MSA-20-0005: MathJax URL upgraded to later version to remove
XSS risk (upstream)
19 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moodle
Publisher: Moodle
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-10738 CVE-2018-1999024
Original Bulletin:
https://moodle.org/mod/forum/discuss.php?d=403512&parent=1628590
https://moodle.org/mod/forum/discuss.php?d=403513&parent=1628593
Comment: This bulletin contains two (2) Moodle security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
MSA-20-0005: MathJax URL upgraded to later version to remove XSS risk
(upstream)
MathJax versions 2.7.2 and earlier contain a stored XSS risk. The MathJax URL
has been updated to reference a newer version, which has the vulnerability
patched.
Severity/ Serious
Risk:
Versions 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and earlier
affected: unsupported versions
Versions 3.8.3, 3.7.6, 3.6.10 and 3.5.12
fixed:
Reported Abdullah Hussam
by:
Manually update the MathJax URL in site administration to reference
Workaround: the patched version (https://cdn.jsdelivr.net/npm/mathjax@2.7.8/
MathJax.js)
CVE CVE-2018-1999024
identifier:
Changes http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=
(master): MDL-68430
Tracker MDL-68430 MathJax URL upgraded to later version to remove XSS risk
issue: (upstream)
- -------------------------------------------------------------------------------------
MSA-20-0006: Remote code execution possible via SCORM packages
It was possible to create a SCORM package in such a way that when added to a
course, it could be interacted with via web services in order to achieve remote
code execution.
Severity/ Serious
Risk:
Versions 3.8 to 3.8.2, 3.7 to 3.7.5, 3.6 to 3.6.9, 3.5 to 3.5.11 and
affected: earlier unsupported versions
Versions 3.8.3, 3.7.6, 3.6.10 and 3.5.12
fixed:
Reported by: Paul Holden
Workaround: Disable the 'SCORM package' activity type until the patch is
applied.
CVE CVE-2020-10738
identifier:
Changes http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s
(master): =MDL-68410
Tracker MDL-68410 Remote code execution possible via SCORM packages
issue:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXsMtGeNLKJtyKPYoAQjD2g/9Fua5EiNCg1DvtegsWoiFEkfGRE+hAOYN
c57pT1+IQSsT9ttNGUDDDBEmkkJ9VQOLHqwCpYMes32jlnXMysh/9j3lYZoG7fg7
rB44UWv6JlLNWEF75TEg4Ar+xtzfux8zB2+s73rlpai7K7B+hhRU0eTp5IrgiZt4
9SjBDPSFZ/Dp7+o7x977VqE1JoCIRopqGn6EFOlNZ1dF5lpBrCSAeMBLT2F/pqIt
Z6cju564ZXbWJX4mUdXIRoU0e97+hDKYGk+DMmoYv4biXfIWWy6Nje9NQq/a9+8J
7EfoUMJn2laLeqp8N9TgksIuGimqddPg9cqbgrg0GBa9mZKiibRKgM7EeQ2w7Jeq
JSnDcVva4Hmr/vmfla0LlCa0mRkCj+1JH+9+ITEIsGobgSk5CbU8mbX+JoI+Xbri
SZHvGnbD98qVdqSeWTZqXTXmaQkSPf5vwV6XVsQOnbY8fcIPwh8uTAKdlbT2GIPj
1js0UWdMPfxbA8JB6OiwGPRDBk4h5ouJ2uXRwXHk6Bf6ceqzjWIW7gPaMp+BBr5p
1myItVwQ8Z5C09onm2KjaZe12zz5Zv1bNxb+6SIMmRsmDE9wtgqBr5k6nvpy1bOI
L4epxUCiy9Q2a2/1L5FvLY1d5YEKvGQ/XFuvgaOrN2C2CPPNWDm0qpe5wEk4POMP
Oq+tBn1hPpA=
=woX2
-----END PGP SIGNATURE-----