Bug 1288158 (CVE-2015-5331, CVE-2015-5332, CVE-2015-5335, CVE-2015-5336, CVE-2015-5337, CVE-2015-5338, CVE-2015-5339, CVE-2015-5340, CVE-2015-5341, CVE-2015-5342)

Multiple security issues were fixed in versions 2.7.11, 2.8.9 and 2.9.3 of moodle.

-----
(MSA-15-0037) CVE-2015-5331 Possible to send a message to a user who blocked messages from non contacts:

Insufficient settings check when messaging another user opens spam possibility. Users who are not in contact list still can send messages though it is blocked in preferences.
Versions affected: 2.9 to 2.9.2
Versions fixed: 2.9.3
Reported by: Pavel Sokolov
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50426
-----
(MSA-15-0038) CVE-2015-5332 DDoS possibility in Atto:

If guest access is open on the site, unauthenticated user can create a DDos attack through editor autosave area. Guests can exploit atto draft to store content.
Versions affected: 2.9 to 2.9.2 and 2.8 to 2.8.8
Versions fixed:	2.9.3 and 2.8.9
Reported by: Frédéric Massart
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51000
-----
(MSA-15-0039) CVE-2015-5335 CSRF in site registration form:

Attacker can send admin a link to site registration form that will display correct URL but, if submitted, will register with another hub. It is possible to trick a site/admin into sending aggregate stats to an arbitrary domain.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Andrew Davis
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51091
------
(MSA-15-0040) CVE-2015-5336 Student XSS in survey:

Standard survey module is vulnerable to XSS attack by students who fill the survey. 
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Hugh Davenport
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49940
-----
(MSA-15-0041) CVE-2015-5337 XSS in flash video player:

XSS vulnerability caused by Flowplayer flash video player has been addressed.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Andrew Nicols
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48085
-----
(MSA-15-0042) CVE-2015-5338 CSRF in lesson login form:

Password-protected lesson modules are subject to CSRF vulnerability.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Ankit Agarwal
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-48109
-----
(MSA-15-0043) CVE-2015-5339 Web service core_enrol_get_enrolled_users does not respect course group mode:

Through WS core_enrol_get_enrolled_users it is possible to retrieve list of course participants who would not be visible when using web site.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Daniel Palou
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51861
-----
(MSA-15-0044) CVE-2015-5340 Capability to view available badges is not respected:

Logged in users who do not have capability 'View available badges without earning them' can still access the full list of badges. Capability moodle/badges:viewbadges is not respected.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Marina Glancy
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51684
-----
(MSA-15-0045) CVE-2015-5341 SCORM module allows to bypass access restrictions based on date:

Incorrect and missing handling of availability dates in mod_scorm let users to view the SCORM contents bypassing the date restriction.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Juan Leyva
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50837
-----
(MSA-15-0046) CVE-2015-5342 Choice module closing date can be bypassed:

Users can mock URL to delete or submit new responses after the choice module was closed.
Versions affected: 2.9 to 2.9.2, 2.8 to 2.8.8, 2.7 to 2.7.10 and earlier unsupported versions
Versions fixed:	2.9.3, 2.8.9 and 2.7.11
Reported by: Juan Leyva
Upstream patch: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51569
-----

External reference:

https://moodle.org/mod/forum/discuss.php?d=322852