MSA-18-0001: Server Side Request Forgery in the filepicker - CVE-2018-1042 By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server https://moodle.org/mod/forum/discuss.php?d=364381 MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames - CVE-2018-1043 Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname. https://moodle.org/mod/forum/discuss.php?d=364382 MSA-18-0003: Privilege escalation in quiz web services - CVE-2018-1044 Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app https://moodle.org/mod/forum/discuss.php?d=364383 MSA-18-0004: XSS in calendar event name - CVE-2018-1045 It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue. https://moodle.org/mod/forum/discuss.php?d=364384
Created moodle tracking bugs for this issue: Affects: epel-all [bug 1537469] Affects: fedora-all [bug 1537470]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.