SB2019031903 - Multiple vulnerabilities in Moodle

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2019-3852)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to get_with_capability_join() and get_users_by_capability() methods did not take into consideration current activity status of the account (e.g. if the account is frozen or not) when checking user capabilities.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3851)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the application contains a link to site home within the the Boost theme's secure layout that can lead to students navigating out of the page.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3850)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to the application allows links within assignment submission comments to be opened directly in the same window. Such application behavior can lead phishing attacks.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3849)

The vulnerability allows a remote attacker to escalate privileges within the application.

The vulnerability exists due to an error that allows authenticated users to assign themselves an escalated role within courses or content accessed via LTI by modifying the request to the LTI publisher site. A remote authenticated attacker can escalate privileges within the application.

5) Stored cross-site scripting (CVE-ID: CVE-2019-3847)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in user's Dashboard. A remote authenticated attacker can permanently inject JavaScript into Dashboard and execute it victim's browser in context of vulnerable website, when a privileged user with "login as other users" capability view compromised Dashboard on attackers behalf.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-3848)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to incorrect implementation of permissions checks when loading event information into the calendar's edit event modal popup. A remote authenticated attacker can view contents of calendar events that belong to other users.

Remediation

Install update from vendor's website.

References

• https://moodle.org/mod/forum/discuss.php?d=384015
• https://moodle.org/mod/forum/discuss.php?d=384014
• https://moodle.org/mod/forum/discuss.php?d=384013
• https://moodle.org/mod/forum/discuss.php?d=384012
• https://moodle.org/mod/forum/discuss.php?d=384010
• https://moodle.org/mod/forum/discuss.php?d=384011