Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0219 Multiple vulnerabilities have been identified in Moodle 19 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2018-1999022 CVE-2018-14631 CVE-2018-14630 Member content until: Friday, October 19 2018 OVERVIEW Multiple vulnerabilities have been identified in Moodle prior to 3.5.2, 3.4.5, 3.3.8 and 3.1.14 [1-3] IMPACT The vendor has provided the following details regarding these vulnerabilities: "MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. Severity/Risk: Serious Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.1 to 3.1.13 and earlier unsupported versions Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14 Reported by: Johannes Moritz CVE identifier: CVE-2018-14630 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62880 Tracker issue: MDL-62880 Moodle XML import of ddwtos could lead to intentional remote code execution" [1] "MSA-18-0018: QuickForm library remote code vulnerability (upstream) A security vulnerability was reported against QuickForm, a third party library used by Moodle. Although no attack vector was identified within our software, Moodle has updated to patched versions of QuickForm as a precaution. Severity/Risk: Minor Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7, 3.1 to 3.1.13 and earlier unsupported versions Versions fixed: 3.5.2, 3.4.5, 3.3.8 and 3.1.14 Reported by: Dan Marsden CVE identifier: CVE-2018-1999022 (PEAR HTML_QuickForm) Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62947 Tracker issue: MDL-62947 QuickForm library remote code vulnerability (upstream)" [2] "MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered The breadcrumb navigation provided by Boost theme when displaying search results of a blog were insufficiently filtered, which could result in reflected XSS if a user followed a malicious link containing JavaScript in the search parameter. Severity/Risk: Minor Versions affected: 3.5 to 3.5.1, 3.4 to 3.4.4, 3.3 to 3.3.7 and earlier unsupported versions Versions fixed: 3.5.2, 3.4.5 and 3.3.8 Reported by: Michael Hawkins Workaround: Use an alternative theme not based upon Boost until the fix is applied. CVE identifier: CVE-2018-14631 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-62857 Tracker issue: MDL-62857 Boost theme - blog search GET parameter insufficiently filtered" [3] MITIGATION The vendor has stated that these issues have been corrected in versions 3.5.2, 3.4.5, 3.3.8 and 3.1.14. [1-3] REFERENCES [1] MSA-18-0017: Moodle XML import of ddwtos could lead to intentional remote code execution https://moodle.org/mod/forum/discuss.php?d=376023 [2] MSA-18-0018: QuickForm library remote code vulnerability (upstream) https://moodle.org/mod/forum/discuss.php?d=376024 [3] MSA-18-0019: Boost theme - blog search GET parameter insufficiently filtered https://moodle.org/mod/forum/discuss.php?d=376025 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6LFY2aOgq3Tt24GAQhyjRAAiISu5Ls+nQ8XgB5pwekcEMIsTVpb5a/l corPY0xP7QoQzBYgjLT74PNrlnco4YrqaNHAMf/XwoWvZfPM3yGbg4lQEmb54NJ1 qs3/qa7nbQTvLjYWmQGJCw2WGZEErAq5zcmb2H3kANhox5i5YqUbGshatWBn0Uva DvyyYEOaKdNfo8o9NyzikwUx7kaq7fi7QZB69MRN0Hc0yc9t3xGtUBPRmpGeM2Uh VB2xNJ/ZBu7Tvcsz2Uj45d56DMGg4MYI93QNXg02PAsGsMEHgjKMYDoaLTWeH3HS fUU0hF8DN033s9ODTqfwXDaeR5tjZbYvnxvMRnym7JHkHM6L3EyBSE+PaghSRdx3 /b5RofBYrjn+PBSUUyUYSxdDVve0DD+tcwqYc9SirALIrJ432D5tgmXvdgY7YWyV VY4EoTmFrFVb8jt4+4FiBCgnC2r8Hkhb+MgkG8CxPl2wwn09v35kKDEPHro3//fi WjLDc8FzznFso5hhzf28pLrBKkk5wXvuuGfOILSVV/4rLXdfbZ1/PBHkOOfEcoZp sUD70w/guudz6hg7MdzSXUPkKgtl/+pAan1do+8frS2k60qjwkoyVC287VwoP1My fOtaNe7djHtK3ynF9p8f+DyjvhDlMie2M2CH2S+qp77DVrzYS80AAjNaPaZtaUGc kHGNM/o3yHw= =iNJ5 -----END PGP SIGNATURE-----