Multiple security issues were fixed in versions 3.0.3, 2.9.5, 2.8.11 and 2.7.13 of moodle. ============================================================================== MSA-16-0003: Incorrect capability check when displaying users emails in Participants list Description: Teachers who otherwise were not supposed to see students' emails could see them in the participants list Issue summary: Incorrect capability check when displaying users emails in Participants list Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Matt Jenner Issue no.: MDL-52433 CVE identifier: CVE-2016-2151 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52433 ============================================================================== MSA-16-0004: XSS from profile fields from external db Description: Moodle traditionally trusted content from external DB however it was decided that external datasources may not be aware of web security practices and data could cause problems after importing to Moodle Issue summary: XSS from profile fields from external db Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Jay Knight Issue no.: MDL-50705 CVE identifier: CVE-2016-2152 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-50705 ============================================================================== MSA-16-0005: Reflected XSS in mod_data advanced search Description: User with higher permissions could be tricked into clicking a link which would result in XSS attack Issue summary: Reflected XSS in mod_data advanced search Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Ian Song Issue no.: MDL-52727 Workaround: Educate staff to always use only modern browsers that block such attacks by default CVE identifier: CVE-2016-2153 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52727 ============================================================================== MSA-16-0006: Hidden courses are shown to students in Event Monitor Description: Users without capability to view hidden courses but with capability to subscribe to Event Monitor rules could see the names of hidden courses Issue summary: Hidden courses are shown to students in Event Monitor Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10 Versions fixed: 3.0.3, 2.9.5 and 2.8.11 Reported by: Roger Issue no.: MDL-51167 Workaround: Revoke capability to subscribe to Event Monitor rules from regular users CVE identifier: CVE-2016-2154 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-51167 ============================================================================== MSA-16-0007: Non-Editing Instructor role can edit exclude checkbox in Single View Description: Incorrect capability check in Single View grade report could result in giving a teacher extra permission Issue summary: Non-Editing Instructor role can edit exclude checkbox in Single View Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10 Versions fixed: 3.0.3, 2.9.5 and 2.8.11 Reported by: Mark McKay Issue no.: MDL-52378 CVE identifier: CVE-2016-2155 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52378 ============================================================================== MSA-16-0008: External function get_calendar_events return events that pertains to hidden activities Description: Users without capability to view hidden acitivites could still see associated calendar events via web services Issue summary: External function get_calendar_events return events that pertains to hidden activities Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Juan Leyva Issue no.: MDL-52808 CVE identifier: CVE-2016-2156 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52808 ============================================================================== MSA-16-0009: CSRF in Assignment plugin management page Description: CSRF possible on admin page, however exploit unlikely benefit anybody and can easily be reversed Issue summary: CSRF in Assignment plugin management page Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Paul Holden Issue no.: MDL-53031 CVE identifier: CVE-2016-2157 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-53031 ============================================================================== MSA-16-0010: Enumeration of category details possible without authentication Description: Despite force login setting guests could still access course category details Issue summary: Enumeration of category details possible without authentication Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Krista Koivisto Issue no.: MDL-52774 CVE identifier: CVE-2016-2158 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52774 ============================================================================== MSA-16-0011: Add no referrer to links with _blank target attribute Description: Improve security when following external links that were added with _blank target Issue summary: Add no referrer to links with _blank target attribute Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Hugh Davenport Issue no.: MDL-52651 CVE identifier: CVE-2016-2190 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52651 ============================================================================== MSA-16-0012: External function mod_assign_save_submission does not check due dates Description: Students were able to add assignment submissions after the due date through web service Issue summary: External function mod_assign_save_submission does not check due dates Severity/Risk: Minor Versions affected: 3.0 to 3.0.2, 2.9 to 2.9.4, 2.8 to 2.8.10, 2.7 to 2.7.12 and earlier unsupported versions Versions fixed: 3.0.3, 2.9.5, 2.8.11 and 2.7.13 Reported by: Juan Leyva Issue no.: MDL-52901 CVE identifier: CVE-2016-2159 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-52901 External references: https://moodle.org/mod/forum/discuss.php?d=329783
Created moodle tracking bugs for this issue: Affects: fedora-all [bug 1319680] Affects: epel-6 [bug 1319681] Affects: epel-7 [bug 1319682]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.